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Abstract 
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is  then  used  to  show  that  the  given  system  satisfies  the  requirements.  One  type  of  mapping  is 
based  on  a  collection  of  “variant  functions”  providing  measures  of  progress  toward  timing  goals. 
The  technique  is  illustrated  with  two  examples,  a  simple  resource  manager  and  a  two-process 
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1  Introduction 


Assertional  reasoning  is  a  very  useful  technique  for  proving  safety  properties  of  sequential  and 
concurrent  algorithms.  This  proof  method  involves  describing  the  algorithm  of  interest  as  a 
state  machine,  and  defining  a  predicate  known  as  an  assertion  on  the  states  of  the  machine. 
One  proves  inductively  that  the  assertion  is  true  of  all  the  states  that  are  reachable  in  a 
computation  of  the  machine,  i.e.,  that  it  is  an  invariant  of  the  machine.  The  assertion  is 
defined  so  that  it  implies  the  safety  property  to  be  proved.  Assertional  reasoning  is  a  rigorous, 
simple  and  general  proof  technique.  Furthermore,  the  asse-  ions  usually  provide  an  intuitively 
appealing  explanation  of  why  the  algorithm  satisfies  the  property. 

One  kind  of  assertional  reasoning  uses  a  mapping  to  describe  a  correspondence  between 
the  given  algorithm  and  a  higher-level  algorithm  used  as  a  specification  of  correctness.  (See, 
for  example,  [La83,  Ly86,  LT87].)  Such  mappings  may  be  single-valued  or  multi-valued. 

So  far,  assertional  reasoning  has  been  used  primarily  to  prove  properties  of  sequential 
algorithms  and  synchronous  and  asynchronous  concurrent  algorithms.  We  would  also  like 
to  use  this  technique  to  prove  properties  of  concurrent  algorithms  whose  operation  depends 
on  time,  e.g.,  ones  that  arise  in  real-time  systems  or  ones  that  rely  on  clocks  that  tick  at 
approximately  known  rates.  Also,  the  kinds  of  properties  generally  proved  using  assertional 
reasoning  have  been  “ordinary”  safety  properties;  we  would  like  to  use  similar  methods  to 
prove  timing  properties  (upper  and  lower  bounds  on  time)  for  algorithms  that  have  timing 
assumptions.  Predictable  performance  is  often  a  desirable  characteristic  of  real-time  systems 
[SR89];  assertional  techniques  could  be  very  helpful  in  proving  such  performance  properties. 

In  this  paper,  we  describe  one  way  in  which  assertional  reasoning  can  be  used  to  prove  tim¬ 
ing  properties  for  algorithms  that  have  timing  assumptions.  Our  method  involves  constructing 
a  multi-valued  mapping  from  an  automaton  representing  the  given  algorithm  to  another  au¬ 
tomaton  representing  the  timing  requirements.  The  key  to  our  method  is  a  way  of  representing 
a  system  with  timing  constraints  as  an  automaton  whose  state  includes  predictive  timing  in¬ 
formation.  Timing  assumptions  and  timing  requirements  for  the  system  are  both  represented 
in  this  way,  and  the  mappings  we  construct  map  from  the  “assumptions  automaton”  to  the 
“requirements  automaton”.  One  type  of  mapping  is  based  on  a  collection  of  “variant  functions” 
providing  measures  of  progress  toward  timing  goals. 

We  describe  our  method  in  terms  of  the  timed  automaton  model,  a  slight  variant  of  the  time 
constrained  automaton  model  of  [MMT88].  We  use  this  model  to  state  the  requirements  to  be 
satisfied,  to  define  the  basic  architectural  and  timing  assumptions,  to  describe  the  algorithms, 
and  to  prove  their  correctness  and  timing  properties.  A  timed  automaton  is  a  pair  (A,b), 
consisting  of  an  I/O  automaton  [LT87,  LT89],  together  with  a  houndmap,  which  is  a  formal 
description  of  the  timing  assumptions  for  the  components  of  the  system.  A  timed  automaton 
generates  a  set  of  timed  executions  which  describe  the  operation  of  the  algorithm,  and  a  cor¬ 
responding  s»t  of  timed  behaviors  which  describe  the  algorithm’s  externally- visible  activity.  In 
this  paper,  a  timed  r'v,omater.  (.1,6)  id  lined  to  describe  tb<*  given  system  mirlndr  g  m*  timing 
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assumptions),  and  another  timed  automaton  ( 4', 6 ')  is  used  to  describe  the  correctness  and 
timing  requirements. 

While  convenient  for  specifying  timing  assumptions  and  requirements,  timed  automata  are 
not  directly  suited  for  carrying  out  assertional  proofs  about  timing  properties,  because  timing 
properties  are  described  externally  (by  boundmaps)  rather  than  being  built  into  the  automaton 
itself.  We  therefore  introduce  a  way  of  incorporating  timing  conditions  into  an  automaton 
definition.  For  a  given  timed  automaton  (.4,6),  we  define  the  automaton  time(A,b )  to  be  an 
ordinary  I/O  automaton  (not  a  timed  automaton)  whose  state  includes  predictive  information 
describing  the  first  and  last  times  at  which  various  events  can  next  occur;  this  information  is 
designed  to  enforce  the  timing  conditions  expressed  by  the  boundmap  6.  The  1/0  automaton 
time(A.b)  is  related  to  the  timed  automaton  (4,6)  in  that  a  certain  subset  of  the  behaviors 
of  time(4,6),  which  we  call  the  “admissible”  behaviors,  is  exactly  equal  to  the  set  of  timed 
behaviors  of  (4, 6). 

We  apply  this  construction  to  both  the  system  description  (4,6)  and  the  requirements 
description  (4,,6/);  our  “assumptions  automaton”  is  defined  to  be  time(A,b)  and  our  “require¬ 
ments  automaton”  is  time(A' ,b').  Then  the  problem  of  showing  that  a  given  algorithm  (4,6) 
satisfies  the  timing  requirements  amounts  to  that  of  showing  that  any  admissible  behavior  of 
the  automaton  time(A,b )  is  also  an  admissible  behavior  of  time(A',b').  We  do  this  by  using 
invariant  assertion  techniques;  in  particular,  we  demonstrate  a  multi-valued  mapping  from 
states  of  time(A,b)  to  states  of  time(A' ,6'). 

We  define  a  special  class  of  multi-valued  mappings  that  appears  to  be  especially  useful. 
Each  such  mapping  is  defined  by  a  collection  of  inequalities  relating  the  time  bounds  to  be 
proved  (those  expressed  by  b')  to  the  values  of  a  collection  of  “variant  functions”  defined  on 
the  states  of  timc(A,b).  These  variant  functions  provide  upper  and  lower  bound  measures 
of  progress  toward  the  timing  goals  expressed  by  6'.  These  functions  generalize  the  notion  of 
variant  function  commonly  used  to  prove  termination  of  sequential  programs  and  asynchronous 
concurrent  programs  (see,  e.g.,  the  description  of  the  method  of  well-founded  sets  in  [M74]), 
to  allow  real-valued  rather  than  just  discrete  measures,  and  to  allow  proofs  of  lower  bounds  as 
well  as  upper  bounds. 

In  order  to  demonstrate  the  use  of  our  technique,  we  apply  it  to  two  examples.  The  first 
example  is  a  simple  timing-dependent,  resource  granting  system,  consisting  of  two  concurrently- 
operating  components,  a  clock  and  a  manager.  The  manager  monitors  the  clock  ticks,  which 
occur  at  an  approximately  known  rate,  and  whenever  a  certain  number  have  occurred,  it  grants 
the  resource.  We  prove  upper  and  lower  bounds  on  the  amount  of  time  prior  to  the  first  grant 
and  between  each  successive  pair  of  grants. 

The  second  example  involves  one  process  incrementing  a  counter  until  another  process 
modifies  a.  flag,  and  then  decrementing  the  counter.  When  the  counter  reaches  0,  the  first 
process  announces  that  it  is  done.  We  show  upper  and  lower  bounds  on  the  time  until  the 
“done”  announcement  occurs. 

Technically,  mapping  techniques  of  the  sort  used  in  this  paper  are  only  capable  of  proving 
safety  properties,  hi.*  not  liveness  properties.  Timing  properties  have  aspects  of  both  safety 
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and  liveness.  A  timing  lower  bound  asserts  that  an  event  cannot  occur  before  a  certain  amount 
of  time  has  elapsed;  a  violation  of  this  property  is  detectable  after  a  finite  prefix  of  a  timed 
execution,  and  so  a  timing  lower  bound  can  be  regarded  as  a  safety  property.  A  timing  upper 
bound  asserts  that  an  event  must  occur  before  a  certain  amount  of  time  has  elapsed.  This 
can  be  regarded  as  making  two  separate  claims:  that  the  designated  amount  of  time  does  in 
fact  elapse  (a  liveness  property),  and  that  this  amount  of  time  cannot  elapse  without  the  event 
having  occurred  (a  safety  property).  In  this  paper,  we  assume  the  liveness  property  that  time 
increases  without  bound,  so  that  all  the  remaining  properties  that  need  to  be  proved  in  order 
to  prove  either  upper  or  lower  time  bounds  are  safety  properties.  Thus,  our  mapping  technique 
provides  complete  proofs  for  timing  properties  without  requiring  any  additional  techniques  for 
arguing  liveness. 

There  has  been  some  prior  work  on  using  assertional  reasoning  to  prove  timing  properties. 
In  particular,  Haase  [1181],  Shankar  and  Lam  [SL87],  Tel  [T88],  Schneider  [S88],  Lewis  [Le89] 
and  Shaw  [S89]  have  all  developed  models  for  timing-based  systems  that  incorporate  time 
information  into  the  state,  and  have  used  invariant  assertions  to  prove  timing  properties.  In 
[T88]  and  [Le89J.  in  fact,  the  information  that  is  included  is  similar  to  ours  in  that  it  is  also 
predictive  timing  information  (but  not  exactly  the  same  information  as  ours).  None  of  this 
work  has  been  based  on  mappings,  however. 

Several  other,  quite  different  formal  approaches  to  proving  timing  properties  have  also  been 
developed,  based  on  finite  state  machines,  weakes'  preconditions,  first-order  logic,  termporal 
logic,  Petri  nets,  and  process  algebras.  Some  representative  papers  describing  these  other 
methods  are  [BII81],  [KVR83],  [JM87],  [Ho87],  [Zw88],  [JS88],  and  [GF88]. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  contains  a  description  of  the 
underlying  formal  models:  I/O  automata  and  timed  automata.  Section  3  contains  the  con¬ 
struction  used  to  incorporate  timing  conditions  into  I/O  automata,  and  some  basic  properties 
of  these  automata.  Section  4  contains  our  definitions  for  mappings  and  for  collections  of  variant 
functions,  and  shows  that  the  existence  of  such  mappings  and  collections  imply  that  a  given 
algorithm  satisfies  a  given  set  of  timing  requirements.  Section  5  contains  our  examples,  the 
simple  resource-granting  system  and  the  two-process  race  system.  For  each  of  these  examples, 
this  section  contains  a  description  of  the  system,  a  description  of  the  corresponding  require¬ 
ments  automaton,  and  a  correctness  proof  using  mappings.  We  conclude  with  a  discussion  in 
Section  6. 

2  Formal  Model 

In  this  section,  we  present  the  definitions  for  the  underlying  formal  model.  In  particular,  we 
define  I/O  automata,  timed  automata  and  timing  conditions.  We  also  present  some  of  their 
relevant  properties. 


2.1  I/O  Automata 


We  begin  by  summarizing  some  of  the  key  definitions  for  the  I/O  automaton  model.  We  refer 
the  reader  to  [LT87,  LT89]  for  a  complete  presentation  of  the  model  and  its  properties. 

An  I/O  automaton ,  A,  consists  of  the  following  pieces:  acts(A),  a  set  of  actions ,  classified 
as  output ,  input  and  internal  (input  and  output  actions  are  called  external );  states(A),  a  set  of 
states ,  including  a  distinguished  subset,  start  (A),  of  start  states ;  steps(A),  a  set  of  steps,  where 
a  step  is  defined  to  be  a  (state,  action ,  state )  triple;  and  part(A),  a  partition  of  the  locally 
controlled  (output  and  internal)  actions  into  equivalence  classes;  the  partition  groups  together 
actions  that  are  to  be  thought  of  as  under  the  control  of  the  same  underlying  process. 

An  action  7r  is  said  to  be  enabled  in  a  state  s'  provided  that  there  is  a  step  of  the  form 
(s',tt,s).  An  automaton  is  required  to  be  input  enabled ,  which  means  that  every  input  action 
must  be  enabled  in  every  state.  For  any  set  II  C  acts(A),  we  denote  by  enabled(A,Y[)  the  set 
of  states  of  A  in  which  some  action  in  II  is  enabled,  and  by  disabled(  A,  II)  be  the  set  of  all 
states  of  A  not  in  enabled(  A,  II),  that  is,  disabled(A,U)  =  states(A)  \  enable d(  A,  f\). 

An  execution  fragment  of  an  I/O  automaton  .4  is  a  sequence  (finite  or  infinite)  of  alternating 
states  and  actions 

^0>  tTj  ,  Si , .  .  .  ,  Sj-j-i ,  TTf ,  S{,  .  .  , 

where  for  every  i,  (s,_t,  7r,-,  a,-)  €  steps(A).  (If  the  sequence  is  finite,  then  it  is  required  to 
end  with  a  state.)  An  execution  is  an  execution  fragment  with  so  6  start(A).  The  schedule 
of  an  execution  a  is  the  subsequence  consisting  of  the  actions  appearing  in  a  and  is  denoted 
sched(a).  The  behavior  of  an  execution  a  of  A  is  the  subsequence  of  a  consisting  of  external 
actions  appearing  in  a  and  is  denoted  beh(a).  The  schedules  and  behaviors  of  A  are  just  those 
of  the  executions  of  A.  An  extended  step  is  a  triple  (s',/3,s)  for  which  there  exists  an  execution 
fragment  that  starts  and  ends  with  s'  and  s,  respectively,  and  whose  schedule  is  0. 

Concurrent  systems  are  modeled  by  compositions  of  I/O  automata,  as  defined  in  [LT87, 
LT89].  In  order  to  be  composed,  automata  must  be  strongly  compatible ;  this  means  that  no 
action  can  be  an  output  of  more  than  one  component,  that  internal  actions  of  one  component 
are  not  shared  by  any  other  component,  and  that  no  action  is  shared  by  infinitely  many 
components.  The  result  of  such  a  composition  is  another  I/O  automaton.  The  hiding  operator 
can  be  applied  to  reclassify  output  actions  as  internal  actions. 

2.2  Timed  Automata 

In  this  subsection,  we  augment  the  I/O  automaton  model  to  allow  discussion  of  timing  prop¬ 
erties.  The  treatment  here  is  similar  to  the  one  described  in  [ At L89]  and  is  a  special  case  of 
the  definitions  proposed  earlier  in  [MMT88]. 

A  boundmap  for  an  I/O  automaton  /I  is  a  a  mapping  that  associates  a  closed  subinterval 
of  [0,  X/]  with  each  class  in  part(A).  where  the  lower  bound  of  each  interval  is  not  oo  and  the 
upper  bound  is  nonzero.  Intuitively,  the  interval  associated  with  a  class  C  by  the  boundmap 
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represents  the  range  of  possible  lengths  of  time  between  recessive  times  when  C  “gets  a 
chance”  to  perform  an  action.  We  sometimes  use  the  notation  bfiC )  to  denote  the  lower 
bound  assigned  by  boundmap  b  to  class  C,  and  bu(C)  for  the  corresponding  upper  bound.  A 
timed  automaton  is  a  pair  (/l, 6),  where  A  is  an  I/O  automaton  and  6  is  a  boundmap  for  A. 

We  require  notions  of  “timed  execution”,  “timed  schedule”  and  “timed  behavior”  for  timed 
automata,  corresponding  to  executions,  schedules  and  behaviors  for  ordinary  1/0  automata. 
These  will  all  include  time  information.  We  begin  by  defining  the  basic  type  of  sequence  that 
underlies  the  definition  of  a  timed  execution. 

Definition  2.1  A  timed  sequence  (for  an  I/O  automaton  A)  is  a  (finite  or  infinite )  sequence 
of  alternating  states  and  (action, time)  pairs, 

so,(nuti),8i,(K2,h),  ■■■  » 
satisfying  the  following  conditions. 

1.  The  states  so,  s1(  ...  are  in  states(A). 

2.  The  actions -Ki,  7r2l...  are  in  acts(A). 

3.  The  times  t\,  t?,...  ar€  successively  nondecreasing  nonnegative  real  numbers. 

4 ■  If  the  sequence  is  finite,  then  it  ends  in  a  state  so 

5.  If  the  sequence  is  infinite  then  the  times  are  unbounded. 

For  a  given  timed  sequence,  we  use  the  convention  that  t0  =  0.  For  any  finite  timed  sequence 
a,  we  define  tenj( a)  to  be  the  time  of  the  last  event  in  a,  if  a  contains  any  (action, time)  pairs, 
or  0,  if  a  contains  no  such  pairs;  also,  we  define  senj(a)  to  be  the  last  state  in  o.  We  denote 
by  ord(a)  (the  “ordinary”  part  of  a)  the  sequence 


-SOi  51 1  *2, ...  , 


i.e.,  a  with  time  information  removed. 

If  i  is  a  nonnegative  integer  and  C  £  part(A),  we  say  that  i  is  an  initial  index  for  C  in  a  if 
£  enabled) A. (')  and  either  i  =  0  or  s,_i  £  disablcd(A,C)  or  7r,  £  C.  Thus,  an  initial  index 
for  class  C  is  the  index  of  a  step  at  which  C  becomes  enabled;  it  indicates  a  point  in  n  from 
which  we  will  begin  measuring  upper  and  lower  time  bounds. 

Definition  2.2  Suppose  ( A,b )  is  a  timed  automaton.  Then  a  timed  sequence  a  is  a  timed 
execution  of  (A.b)  provided  that  ord(a)  is  an  execution  of  A  and  a  satisfies  the  following 
conditions,  for  each  class  C  £  part(A)  and  every  initial  index  i  for  C  in  «. 
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/.  //MO  <  oo  then  crisis  j  >  i  with  tj  <  t ,  -f  bu(C')  such  that  cither  itj  £  ('  or 

Sj  €  (lisa bled ( A.('). 

2.  There  docs  not  exist  j  >  i  with  tj  <  t ,  +  bf(C)  and  in  C . 

The  first  condition  says  that,  starting  from  an  initial  index  for  C\  within  time  bu(C)  either 
some  action  in  C  occurs  or  tliere  is  a  point  at  which  no  such  action  is  enabled.  Note  that  if 
bu(C)  -  oo,  no  upper  bound  requirement  is  imposed.  The  second  condition  says  that,  again 
starting  from  an  initial  index  for  C,  no  action  in  C  can  occur  before  time  bt(C )  has  elapsed. 
Note  in  particular  that  if  a  class  C  becomes  disabled  and  then  enabled  once  again,  the  lower 
bound  calculation  gets  “restarted”  at  the  point  where  the  class  becomes  re-enabled. 

The  timed  schedule  of  a  timed  execution  of  a  timed  automaton  (A.b)  is  the  subsequence 
consisting  of  the  (action, time)  pairs,  and  the  timed  behavior  is  the  subsequence  consisting  of  the 
(action, time)  pairs  for  which  the  action  is  external.  The  timed  schedules  and  timed  behaviors 
of  (A.b)  are  just  those  of  the  timed  executions  of  (A.b). 

The  definition  of  a  timed  execution  contains  aspects  of  both  safety  and  liveness.  Occasion¬ 
ally,  it  is  useful  to  focus  on  the  safety  aspects  alone.  We  thus  define  the  notion  of  a  “timed 
semi-execution”  to  capture  the  safety  part  of  the  definition  of  a  timed  execution. 

Definition  2.3  Suppose  (A.b)  is  a  timed  automaton.  Then  a  finite  timed  sequence  n  is  a 
timed  semi-execution  of  (A.b)  provided  that  ord(en)  is  an  execution  of  /\  and  a  satisfies  the 
following  conditions,  for  each  class  C  of  part  (A)  and  every  initial  index  i  for  C  in  a. 

1.  If  bu(C)  <  oo.  then  either  tend(a)  <  U  +  bu(C)  or  there  exists  j  >  i  with  tj  <  t,  +  bu(C) 
such  that  either  €  C  or  s}  €  disabltd(A.C). 

2.  There  does  not  exist  j  >  i  with  tj  <  t,  +  bf(C)  and  in  C . 

This  definition  is  identical  to  that  of  a  finite  timed  execution,  except  for  the  “either”  clause 
in  the  first  item.  This  clause  allows  an  action  to  fail  to  occur  if  insufficient,  time  has  passed. 

The  following  result  gives  a  condition  on  a  timed  semi-execution  that  ensures  that  it  is  a 
timed  execution. 

Lemma  2.1  Suppose  that  o  is  a  timed  semi-execution  of  a  timed  automaton  ( AJi ).  Then  o 
is  a  timed  execution  if  and  only  if  each  locally  controlled  action  of  A  that  is  enabled  in  state 
•‘vnrfUO  ,s  in  n  partition  class  ('  in  part(A)  such  that  bu(C)  =  oo. 

Proof:  Straightforward.  H 

The  following  lemma  says  that  the  limit  of  a  sequence  of  timed  semi-executions  in  which 
the  times  are  unbounded  must  be  a  timed  execution. 
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Lemma  2.2  l.i  I  =  i  be  «  sequence  of  timed  semi-executions  of  (A.b)  such  that  tin  follem:- 
ing  conditions  hold. 

t.  For  any  i  >  1,  o,  is  a  prefix  of  a,+  |. 

J.  lim,-_.x  t  „.<(<.»,■ )  =  oo. 

Then  the  limit  of  the  a,  unelcr  the  extension  ordering  is  a  timed  execution  of  {A.b) 

Proof:  Straightforward.  ■ 

We  mode1  each  timing-dependent  concurrent  system  as  a  single  timed  automaton  (A,1*), 
where  A  is  a  composition  of  ordinary  I/O  automata  (possibly  with  some  output  actions 
hidden).1  We  also  model  problem  specifications,  including  timing  properties,  in  terms  of  timed 
automata. 

We  note  that  the  definition  we  use  for  timed  automata  may  not  be  the  sufficiently  general 
to  capture  all  interesting  systems  and  timing  requirements.  It  does  capture  many,  however;  we 
will  have  more  to  say  about  this  matter  in  Section  6. 

3  Incorporating  Timing  Conditions  into  I/O  Automata 

In  order  to  use  invariant  assertion  techniques  to  reason  about  timed  automata,  we  define  an 
oidinarv  I/O  automaton  time(A,b)  corresponding  to  a  given  timed  automaton  {A.b).  This 
new  automaton  has  the  timing  restrictions  imposed  by  b  on  A  built  into  its  transition  rules, 
based  on  predictions  about  when  the  next  event  from  each  set  of  actions  will  occur.  In  this 
section,  we  give  the  construction  of  time(A.b)  and  also  give  results  that  relate  the  executions 
and  behaviors  of  timf(A.b)  to  the  timed  executions  and  timed  behaviors  of  {A.b). 

The  close  relationships  between  {A.b)  and  time(A.b)  suggest  the  possibility  of  avoiding 
the  timed  automaton  definition  entirely,  instead  using  the  timc{A.b)  notion  as  the  starting 
point  for  our  work.  \Ye  prefer  to  begin  with  the  timed  automaton  definition  because  we 
regard  that  definition  as  the  more  fundamental  of  the  two,  expressed  as  it  is  in  terms  of  a 
traditional  asynchronous  system  with  some  additional  timing  restrictions.  As  will  be  seen 
below,  the  tinu(A.b)  definition  introduces  special  constructs  (e.g.,  special  SI'LL  actions  and 
special  variables  such  as  tinie).  which  are  quite  useful  in  proofs,  but  which  do  not  seem  to  be 
fundamental  parts  of  system  descriptions.  Another  reason  we  prefer  to  begin  with  the  timed 
automaton  definition  is  that  it  has  already  been  used  elsewhere.  Moreover,  we  believe  that  the 
elegant  relationship  between  the  two  expressed  by  Theorem  3.3  is  interesting  in  its  own  right. 

’An  equivalent  way  of  looking  at  each  system  is  as  a  composition  of  timed  automata.  An  appropriate 
definition  for  a  composition  of  timed  automata  is  deve/oped  in  [MMTSS],  together  wilh  theorems  showing  the 
equivalence  of  the  two  viewpoints. 
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3.1  Definition  of  timc(A.h) 


Given  any  timed  automaton  (A.b).  we  define  the  ordinary  I/O  automaton  time(A,b).  The 
automaton  time(A.b)  ha.s  as  its  actions,  all  pairs  of  the  form  ( 7r , * ) ,  where  7r  is  an  element  of 
acts(  /1)U  {NULL}  and  /  is  a  nonnegative  real  number;  here  NULL  is  a  “dummy  action”  that 
represents  the  passage  of  time.  The  classification  of  actions  into  input,  output  and  internal 
actions  is  derived  from  that  for  A ,  with  the  additional  stipulation  that  each  (NULLJ)  is  an 
internal  action.  Each  of  the  states  of  time(A,b)  consists  of  a  state,  basic,  of  A,  augmented 
with  a  variable  time,  and,  for  each  class  C  of  the  partition  of  A,  two  variables  first(C)  and 
last(C).  The  value  of  the  time  variable  represents  the  time  of  the  last  preceding  event.  The 
values  of  the  first(C')  and  last(C)  variables  represent,  respectively,  the  firsf  and  last  times  at 
which  an  event  in  class  C  is  permitted  to  occur. 

We  use  record  notation  to  denote  the  various  components  of  the  state  of  time(A,b):  for 
instance,  s. basic  denotes  the  state  of  A  included  in  state  s  of  time(A,b).  Each  start  state  of 
time(A,b)  consists  of  a  start  state  s  of  A ,  plus  time  =  0,  plus  values  of  first(C)  and  last(C ) 
with  the  following  property:  if  there  is  an  action  in  C  enabled  in  s,  then  s.first(C)  =  b((C)  and 
s.last(C)  —  bu(C);  otherwise.  s.first(C)  =  0  and  s.last(C)  =  oo.  That  is,  if  the  start  state  of 
A  has  an  action  in  C  enabled,  then  the  predicted  times  are  the  ones  specified  in  the  boundmap 
for  C;  otherwise,  they  are  set  to  default  values. 

If  (7 r,<)  is  an  action  of  time(A,b\  then  (s',  (ir,  t),  s)  is  defined  to  be  a  step  of  time(A.b) 
exactly  if  all  of  the  following  conditions  hold. 

1.  If  7T  €  acts(A)  then: 

(a)  s'. time  —  t  =  s.time. 

(b)  (s'  .basic,  Ti.s. basic)  £  stcps(A). 

(c)  For  each  C  €  part(A): 

i.  If  ir  €  C  then  s'.first(C)  <  t. 

ii.  If  s. basic  €  enabled(A,C )  and  tt  £  C  and  s' .basic  6  cnabled(A,C)  then 
s.first(C)  =  s'.first(C)  and  s.last(C)  =  s'.last(C). 

iii.  If  s. basic  £  enaoled(A,C)  and  either  7r  €  C  or  s'. basic  €  disablcd(A,C)  th-m 
s. first (C)  =  t  +  b/(C)  and  and  s.last(C)  =  t  +  bu(C). 

iv.  If  s. basic  £  disabled)  A,  C),  then  s.first(C)  =  0  and  s.last(C')  =  oo. 

2.  If  ir  =  NULL  then 

( a )  s'  Jinn  <  /  —  s.time . 

(b)  s. basic  =  s'. basic. 

(c)  t  <  s'.last[C).  for  each  C  €  parl(A). 

(d)  s.  first  (C )  -  s'.first(C)  and  s.last(C)  —  s',  last  (C),  for  each  C  £  ]>art(A). 
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The  meaning  of  those  conditions  is  as  follows.  Condition  1  describes  restrictions  for  the  case 
where  7r  is  an  action  of  A.  Condition  1(a)  says  that  time  does  not  pass  during  the  performance 
of  non-null  actions  and  Condition  1(b)  says  that  the  steps  associated  with  non-null  actions 
correctly  simulate  steps  of  A.  Condition  1(c)  describes  the  use  and  manipulation  of  the  first 
and  last  variables  during  non-null  steps.  Condition  l(c)i  says  that  a  locally  controlled  step  is 
only  permitted  to  occur  at  a  time  that  is  at  least  as  great  as  the  first  time  specified  for  that 
action’s  partition  class.  Condition  l(c)ii  says  that  an  action  not  in  a  particular  class  that  keeps 
the  class  enabled  does  not  alter  the  timing  predictions  for  that  class.  Condition  l(c)iii  says 
that  an  action  that  enables  a  particular  class  sets  the  timing  predictions  for  that  class  to  the 
values  specified  by  the  boundmap.  Finally,  Condition  l(c)iv  says  that  an  action  that  leaves  a 
particular  class  disabled  sets  the  timing  predictions  to  the  default  values. 

Similarly,  Condition  2  describes  restrictions  for  the  case  where  n  is  the  special  null  action. 
Condition  2(a)  says  that  time  cannot  move  backwards  when  a  null  action  is  performed,  and 
Condition  2(b)  says  that  the  steps  associated  with  null  actions  do  not  cause  any  changes  to 
the  underlying  state  of  A.  Condition  2(c)  says  that  time  cannot  pass  beyond  the  latest  time 
specified  for  any  class,  and  Condition  2(d)  says  that  timing  predictions  are  unaltered  by  the 
passage  of  time. 

It  is  easy  to  check  that  for  any  reachable  state  of  time(A,b)  and  any  class  C  of  the  partition, 
the  following  facts  are  true.  First,  it  must  be  the  case  that  s.last(C)  >  s.time  (although  it 
is  possible  to  have  s.first(C)  <  s.time).  Second,  if  s. basic  6  enabled(A,C)  then  s.last  < 
s.time  -h  bu(C)  and  s. first  <  s.time  +  b((C).  Third,  if  s. basic  €  disabled(A,C)  then  both  the 
lasl(C)  and  first (C)  variables  have  their  default  values  (oo  and  0,  respectively). 

The  partition  classes  for  time(A,b)  are  derived  one-for-one  from  those  of  A ,  with  the 
addition  of  a  single  new  class  for  all  the  ( NVLL,t )  actions.9  Note  that  a  similar  automaton 
was  defined  in  [At  1,89,  LyA90];  it  differs  in  not  containing  special  “null”  actions. 

We  will  be  particularly  interested  in  a  subset  of  the  executions  of  time{A,b),  that  we  call 
the  “admissible  executions”.  Informally,  the  admissible  executions  are  those  in  which  time 
continues  to  pass  without  bound. 

Definition  3.1  An  execution  of  time  (A,  b)  is  said  to  be  admissible  provided  it  contains  in¬ 
finitely  many  Xl'LL  actions  and  the  times  of  these  actions  are  unbounded.  The  admissible 
schedules  and  admissible  behaviors  of  timc(A.b)  are  defined  to  be  the  schedules  and  behaviors, 
respectively,  of  admissible  executions  of  time(  A,  b). 


In  each  of  our  examples  in  this  paper,  we  will  apply  the  time(A,b)  construction  to  a  timed 
automaton  A  modeling  the  entire  system  under  consideration. 

2We  will  not  n«i)  these  classes  in  this  paper,  however,  since  the  purpose  of  I/O  automaton  partition  classes 
is  to  enforce  fairness  to  the  components  of  the  system,  and  we  will  not  require  such  fairness  conditions. 


3.2  Basic  Properties 

We  now  relate  the  timed  executions  of  (/t,6)  to  tlie  executions  of  the  corresponding  1/0 
automaton  time(A,b). 

If  a  is  an  execution  of  time(A,b),  we  define  project(a)  to  be  the  timed  sequence  obtained 
from  a  by  mapping  each  occurrence  of  a  state  s  in  a  to  s. basic  while  keeping  the  (action, time) 
pairs  intact,  and  then  removing  any  NULL  events,  together  with  their  immediately  following 
states.  We  first  show  the  following  simple  correspondence  between  timed  semi-executions  of 
( A,b )  and  finite  executions  of  time(A,b). 

Lemma  3.1  Let  (A,b)  be  a  timed  automaton. 

1.  If  a'  is  a  timed  semi-execution  of  (A,  b),  then  there  exists  a  finite  execution  a  of  time(A,  b) 
such  that  a'  =  project(a). 

2.  If  a  is  a  finite  execution  oftime(A,b),  then  project(a)  is  a  timed  semi-execution  of(A,b). 

Proof:  1.  Suppose  that  a'  is  a  timed  semi-execution  of  ( A,b ).  First  we  construct  a",  an 

alternating  sequence  of  states  of  A  and  actions  of  time(A,b),  by  inserting  exactly  one 
NULL  event  before  the  first  event  in  a '  and  between  every  pair  of  events  in  a';  more 
precisely,  if  s  and  (7r ,t)  occur  consecutively  in  a',  then  a"  replaces  this  pair  with  the 
sequence  s,(NULL,t),s,(n,t)- 

Now  we  modify  a"  to  obtain  o,  a  finite  sequence  of  alternating  states  and  actions  of 
time(A,b),  by  adding  time ,  last  and  first  variables  to  all  the  states  in  a'.  We  do  this  in 
the  unique  way  that  guarantees  that  the  first  state  is  a  start  state  of  time(A,b)  and  that 
Conditions  1(a),  l(c)ii-iv,  2(a)  and  2(d)  of  the  definition  of  time(A,b)  are  satisfied.  Then 
a'  =  project(a).  We  show  that  a  is  an  execution  of  time(A,b)  by  showing  that  each  step 
of  a  satisfies  the  remaining  conditions  of  the  definition  of  time(A,b). 

The  fact  that  a'  is  a  timed  semi-execution  of  ( A,b )  implies  Condition  1(b),  and  Condition 
2(b)  holds  by  construction.  Condition  1  of  Definition  2.3  ensures  Condition  2(c)  of  the 
definition  of  time(  A,b),  while  Condition  2  of  Definition  2.3  ensures  Condition  l(c)i  of 
the  definition  of  time(A.b). 

2.  Let  a1  =  project(a).  By  Conditions  1(b)  and  2(b)  of  the  definition  of  time(A,b),  ord(a') 
is  an  execution  of  the  ordinary  I/O  automaton  A.  It  remains  to  show  that  for  every  class 
C,  o'  satisfies  Conditions  1  and  2  of  Definition  2.3  for  C  (and  every  i  >  0). 

The  initialization  and  Condition  l(c)iii  of  the  definition  of  time(A,b)  imply  that  the 
correct  upper  bounds  are  assigned  to  the  last(C)  variable  whenever  C  becomes  enabled, 
and  Conditions  l(c)ii  and  2(d)  imply  that  those  bounds  do  not  change  until  an  action  in 
C  occurs  or  C  becomes  disabled.  Condition  2(c)  then  implies  that  the  upper  bounds  are 
respected,  which  implies  Condition  1  of  Definition  2.3  for  C.  Similarly,  the  initialization 


10 


and  Condition  1  ( c )iii  imply  that  the  correct  lower  bounds  are  assigned  to  the  first(C) 
variable  whenever  C  becomes  enabled,  and  Conditions  1  (c )ii  and  2(d)  imply  that  those 
bounds  do  not  change  until  an  action  in  C  occurs  or  C  becomes  disabled.  Condition  1  ( c ) i 
then  implies  tiiat  the  lower  bound  is  respected,  which  implies  Condition  2  of  Definition 
2.3  for  C. 


VVe  can  also  relate  the  timed  executions  of  a  timed  automaton  (A,b)  to  the  admissible 
executions  of  the  corresponding  I/O  automaton  time(A,b). 

Lemma  3.2  1.  If  ct'  is  a  timed  execution  of(A,b),  then  there  exists  an  admissible  execution 

a  of  time  (A,  b)  such  that  a'  =  project(a). 

2.  If  a  is  an  admissible  execution  of  time(A,b),  then  project(a)  is  a  timed  execution  of 
(A,b). 


Proof:  1.  Suppose  a'  is  a  timed  execution  of  (A,  b).  We  carry  out  a  similar  construction  to 

that  in  Part  1  of  Lemma  3.1,  except  that  if  a'  is  finite,  we  augment  ft  with  an  infinite  suffix 
of  NULL  actions,  associated  with  times  that  increase  without  bound.  The  argument  is 
similar  to  before. 

2.  Suppose  that  o  =  so,(7Ti,<i),si,. . .  is  an  admissible  execution  of  time(A,b),  and  let 
o'  =  project(a).  Let  o,  be  the  prefix  of  ft  ending  with  s,,  and  let  ft'  =  project(ai),  for 
each  i  >  0.  Then  each  o'  is  a  prefix  of  aj+1,  and  ft'  is  the  limit  of  the  o'-  under  the 
extension  ordering.  Since  ft,  is  a  finite  execution  of  time(A,b),  Part  2  of  Lemma  3.1 
implies  that  o'  is  a  timed  semi-execution  of  {A,b),  for  each  i  >  0.  We  consider  two  cases. 

First,  suppose  ft'  is  infinite.  Then  a  does  not  have  a  suffix  consisting  entirely  of  NULL 
events.  Since  the  times  of  the  actions  in  o  are  unbounded,  and  ft  does  not  have  a 
suffix  consisting  entirely  of  NULL  events,  it  follows  that  lim.-.oo  tend(a'{)  =  oo.  Then 
Lemma  2.2  implies  that  o'  is  a  timed  execution  of  (A,b). 

Second,  suppose  that  o'  is  finite.  Then  «  has  a  suffix  consisting  entirely  of  NULL  events, 
say  starting  after  sv  for  some  fixed  j,  and  o'  =  ft'  .  As  argued  above,  o'  is  a  timed 
semi-execution  of  (A, 6).  Condition  2(c)  of  the  time(A,b)  definition  and  the  fact  that 
times  increase  without  bound  in  o  imply  that  each  locally  controlled  action  of  A  that  is 
enabled  in  state  s3. basic  is  in  a  partition  class  C  in  part(A)  such  that  bu(C)  =  oo.  Since 
send(a')  =  sj. basic,  Lemma  2.1  implies  that  o'  is  a  timed  execution  of  (A,b). 


Now  we  obtain  the  main  theorem  relating  the  timed  behaviors  of  ( A,b )  and  the  admissible 
behaviors  of  timc  (  A,b). 
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Theorem  3.3  The  set  of  timed  behaviors  of(A,b)  is  the  same  as  the  set  of  admissible  behaviors 
of  time  (A ,  b). 

Proof:  Immediate  by  Lemma  3.2.  ■ 

This  theorem  implies  that  properties  of  timed  behaviors  of  a  timed  automaton  (A,  6)  can 
be  proved  by  proving  them  about  the  set  of  admissible  behaviors  of  the  corresponding  I/O 
automaton  time(A,b).  The  latter  task  is  more  amenable  to  treatment  using  assertional  tech¬ 
niques. 

4  Sufficient  Conditions  for  Inclusion  of  Timed  Behavior  Sets 

In  this  section,  we  describe  a  method  for  showing  that  the  timed  behaviors  of  one  timed 
automaton,  ( A,b ),  are  also  timed  behaviors  of  another  timed  automaton,  (A',b').  This  method 
uses  the  construction  in  Section  3;  i.e.,  it  involves  showing  that  the  admissible  behaviors  of 
time(A,b)  are  also  admissible  behaviors  of  time(A\b').  As  we  describe  in  Subsection  4.1,  our 
basic  method  involves  mapping  states  of  time(A,b)  to  sets  of  states  of  time(A' ,b')  and  is  a 
special  case  of  the  possibilities  mapping  method  described  in  [LT87,  LT89]. 

In  the  examples  later  in  this  paper  (as  well  as  others  to  which  we  have  applied  this  mapping 
method),  the  mappings  that  are  constructed  are  expressible  in  a  particular  form:  in  terms 
of  inequalities  involving  the  values  of  the  state  variables  of  the  time(A,b )  and  time(A',b') 
automata.  In  particular,  these  inequalities  assert  that  the  value  of  each  last(C)  variable  of 
time(A',b')  is  at  least  as  great  as  a  certain  real-valued  “variant  function”  of  the  values  of  the 
state  variables  of  time(A,b),  and  also  that  the  value  of  each  first{C)  variable  of  time(A',b') 
is  no  greater  than  another  such  function.  These  functions  can  be  thought  of  as  measures 
of  progress  of  the  system  time(A,b)  toward  the  goals  of  producing  events  from  the  various 
partition  classes  C  of  time(A' ,b').  In  Subsection  4.2,  we  define  our  notion  of  variant  function 
and  show  how  they  can  be  used  to  generate  correct  mappings. 

Our  notion  of  variant  function  is  quite  similar  to  the  notion  of  variant  function  commonly 
used  to  prove  liveness  properties  of  sequential  and  asynchronous  concurrent  programs  (e.g.,  in 
[M74]);  however,  our  notion  generalizes  the  usual  notion  in  that  ours  allows  real-valued  rather 
than  just  discrete  measures,  and  that  ours  applies  to  lower  bounds  as  well  as  upper  bounds. 

4.1  Strong  Possibilities  Mappings 

In  this  subsection,  we  define  the  notion  v;f  a  strong  possibilities  mapping  from  an  automaton 
of  the  form  time(A,b )  to  another  automaton  time(A',b').3  We  then  prove  our  basic  theorem 

3This  is  a  strengthened  version  of  the  definition  of  “possibilities  mapping”  in  [LT89],  where  the  strengthening 
involves  the  addition  of  the  third  condition.  The  term  “possibilities”  is  used  to  suggest  the  different  possible 
states  in  an  image  set. 
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about  strong  possibilities  mappings,  namely,  that  the  existence  of  such  a  mapping  implies  that 
the  timed  behaviors  of  (4,6)  are  all  timed  behaviors  of  (A',b'). 

Definition  4.1  Let  (4,6)  and  (/!', 6')  be  timed  automata  with  the  same  external  action  sig¬ 
nature,  and  let  IT  be  the  common  set  of  external  actions.  Let  f  be  a  mapping  from  states  of 
time(A,b)  to  sets  of  states  of  time(A'  ,b').  The  mapping  f  is  a  strong  possibilities  mapping 
from  time(A,b)  to  time(A'.b')  provided  that  the  following  conditions  hold: 

1.  For  every  start  state  s  of  time(A,b),  there  is  a  start  state  u  of  time(A',b')  such  that 
u  €  /(«). 

2.  If  s'  is  a  reachable  state  of  time(A,b),  u'  6  /(-s')  is  a  reachable  state  of  time(A' ,6')  and 
(s',  (7r,  t),s)  is  a  step  of  time(A ,  6),  then  there  is  an  extended  step  (u' ,  ft,  u)  of  time ( A',  b'), 
such  that  u  €  f(s)  and  /3|( IT  x  Jf)  =  (7r ,  i)|(IT  X  $?).4 

3.  If  s  and  u  are  reachable  states  of  time(A,b)  and  time(A'  ,b'),  respectively,  and  u  6  f(s), 
then  u.time  =  s.time. 

The  first  condition  in  the  mapping  definition  establishes  a  correspondence  between  start 
states  of  the  two  automata,  while  the  second  condition  establishes  a  correspondence  between 
steps  of  time(A,b )  and  extended  steps  (as  defined  in  Section  2.1)  of  time(A' ,6');  this  corre¬ 
spondence  must  preserve  the  sequences  of  timed  external  events.  Finally,  the  third  condition 
simply  asserts  that  the  current  times  of  corresponding  states  must  be  identical. 

The  following  key  lemma  says  that  the  existence  of  a  strong  possibilities  mapping  is  a 
sufficient  condition  for  the  inclusion  of  admissible  behaviors. 

Lemma  4.1  Suppose  that  there  is  a  strong  possibilities  mapping  from  time(  A,  b)  to  time(A' ,b'). 
Then  any  admissible  behavior  of  time(A,b)  is  an  admissible  behavior  of  time(A',b'). 

Proof:  Let  (3  be  an  admissible  behavior  of  time(A,b),  and  let  a  be  an  admissible  execution 
of  time(A,b )  such  that  (3  =  beh(a). 

For  each  finite  prefix  a,  of  a  that  ends  with  a  state,  it  is  possible  to  construct  a  finite 
execution,  a',  of  timc(A',b')  such  that  beh(a\)  =  beh(ati)  and  the  values  of  the  time  variables 
of  the  final  states  of  both  executions  are  identical.  Moreover,  it  is  possible  to  do  this  in  such  a 
way  that  each  o'  is  a  prefix  of  a'+1.  (The  construction  is  by  induction  on  i,  using  Conditions 
1  and  2  of  Definition  4.1.)  Let  o'  be  the  limit  of  the  oj;  then  o'  is  an  execution  of  time(A',b'), 
and  beh(a')  =  bch(a)  -  (3. 

Since  a  is  admissible,  the  values  of  the  time  variables  of  the  final  states  of  the  o,  increase 
without  bound  as  i  approaches  infinity.  Since  the  values  of  the  lime  variables  are  the  same  in 
the  final  states  of  a;  and  o',  the  values  of  the  time  variables  of  the  final  states  of  the  o(  also 
increase  without  bound  as  i  approaches  infinity.  It  follows  that  a'  is  an  admissible  execution 
of  time(A',b')  with  bch(a')  =  (3.  Thus,  ft  is  an  admissible  behavior  of  time(A',b').  ■ 

4We  use  the  notation  9?  in  this  paper  to  represent  the  nonnegative  real  numbers. 
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Now  we  give  the  main  theorem  of  this  subsection,  which  expresses  the  basic  mapping 
technique  for  timed  automata. 


Theorem  4.2  Suppose  that  there  is  a  strong  possibilities  mapping  from  time{A,  b)  to  time(A',  b') 
Then  any  timed  behavior  of  (A,b)  is  a  timed  behavior  of(A',b'). 

Proof:  Immediate  from  Lemma  4.1  and  Theorem  3.3.  ■ 

This  theorem  says  that  the  existence  of  a  strong  possibilities  mapping  is  sufficient  by  itself 
to  yield  the  desired  inclusion  result  for  timed  behaviors.  Since  the  timed  behaviors  of  a  timed 
automaton  embody  both  safety  and  liveness  restrictions,  it  follows  that  this  mapping  technique 
suffices  to  show  both  types  of  properties.  This  is  in  contrast  to  the  situation  for  non-timed 
systems,  where  analogous  mapping  techniques  only  yield  safety  properties.  (In  [AbLSSj,  for 
example,  extra  machinery  in  the  form  of  a  “supplementary  property”  is  added  to  the  mapping 
machinery  in  order  to  allow  proofs  of  liveness  properties.) 

4.2  Variant  Function  Collections 

In  this  subsection,  we  define  our  notion  of  variant  functions  and  show  how  they  can  be  used 
to  generate  strong  possibilities  mappings. 

The  variant  function  definition  is  presented  in  terms  of  a  pair  of  timed  automata,  (A,  b)  and 
(A',b'),  where  (A,b)  describes  the  system  under  study  and  (A',  b')  describes  the  requirements 
to  be  satisfied.  The  underlying  automaton,  A of  (A',b')  is  used  to  describe  correctness 
requirements  that  do  not  involve  time,  whereas  the  boundmap  h'  is  used  to  describe  timing 
requirements;  more  specifically,  b'  specifies  upper  and  lower  bounds  for  various  kinds  of  events 
to  occur,  where  each  “kind  of  event”  corresponds  to  a  partition  class  C  of  A'.  Thus,  for 
each  class  C,  the  definition  mentions  one  variant  function  gc  to  describe  progress  toward 
guaranteeing  the  upper  bound  requirement  given  by  b'u(C),  and  another  variant  function  he 
to  describe  progress  toward  guaranteeing  the  lower  bound  requirement  given  by  b\{C).  Each  of 
these  variant  functions  is  a  function  from  the  state  of  automaton  time(A,b)  to  SJ  U  oo.  Along 
with  the  functions  gc  and  he,  the  definition  also  uses  another  function  /  that  describes  a 
correspondence  between  states  of  the  underlying  automata  A  and  A'.  The  various  conditions 
in  the  definition  assert  that  the  function  /  is  a  correct  correspondence  between  states  of  A 
and  A1,  and  that  the  functions  gc  and  he  provide  correct  measures  of  progress  toward  their 
respective  goals. 

We  caution  the  reader  that  this  definition  is  somewhat  technical.  One  aspect  that  may  seem 
especially  troubling  is  that  it  is  based  on  a  mixture  of  the  two  styles  of  definition,  time(  A,  b)  vs 
{A',b').  However,  note  that  the  mixture  is  completely  consistent,  always  using  the  time(A,b ) 
definition  at  the  lower  level  and  the  (A',b')  at  the  higher  level.  The  timc{A,b)  definition  is 
used  at  the  lower  level  because  the  progress  measures  are  naturally  defined  in  terms  of  states 
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of  time(A,b)  (in  particular,  in  terms  of  the  values  of  the  first  and  last  variables).  On  the 
other  hand,  the  (A1,  b')  definition  is  used  at  the  higher  level  because  it  permits  decomposition 
of  the  properties  that  need  to  be  shown  to  demonstrate  the  existence  of  a  strong  possibilities 
mapping  into  very  small  pieces.  We  hope  that  the  reader  will  be  convinced  by  our  examples 
in  Section  5  that  the  given  properties  provide  a  very  direct  route  to  showing  the  existence  of 
such  a  mapping. 

Definition  4.2  Let  ( A,b )  and  (A\b')  be  timed  automata  with  the  same  external  action  signa¬ 
ture,  and  let  IT  be  the  common  set  of  external  actions.  Let  f  be  a  mapping  from  states  of  A  to 
states  of  A' .  For  each  C  6  part(A'),  let  gc  and  he  be  mappings  from  states  of  time(A,b)  to 
3?Uoo.  Then  the  collection  of  mappings  {f,{gc,  hc)cevart(A'))  *8  a  variant  function  collection 
from  (4,6)  to  ( A',b ')  provided  that  the  following  conditions  hold: 

1.  If  s  is  a  start  state  of  time(A,b)  and  v  =  f(s. basic),  then  v  is  a  start  state  of  A'. 
Moreover,  for  each  C  €  part(A')  such  that  v  6  enabled(A'  ,C),  we  have  gc($)  <  b'n{C) 
and  hc(s)  >  b'((C). 

2.  Suppose  s'  is  a  reachable  state  of  time(A,b),  (s',(7r,t),s)  is  a  step  of  time{A,b),  where 
■k  ^  NULL,  v'  =  f  (s' .basic)  and  v  =  f(s.basic).  Then  there  is  an  execution  fragment  a 
of  A'  beginning  and  ending  with  v'  and  v  respectively,  such  that: 

(a)  a|n  =  7r|II. 

(b)  For  each  C  €  part(A'): 

i.  If  b'((C)  >  0  and  a  C  step  occurs  in  a,  then  there  is  only  one  C  step  in  a,  all 
states  occurring  in  a  prior  to  the  C  step  are  in  enabled(A' ,C)  and  t  >  hc(s'). 

ii.  If  all  states  in  a  are  in  enabled(A' ,C)  and  if  no  C  events  occur  in  a  then 
gc($)  <  gc(s')  and  hc(s)  >  hc{s'). 

in.  If  v  €  enabled(A' ,C),  and  if  either  there  is  a  state  in  a  in  disabled(A' ,C)  or  if 
a  C  event  occurs  in  a,  then  gc(s)  <  t  +  b'u(C)  and  hc{s)  >  t  +  b'e(C). 

3.  If  s'  is  a  reachable  state  of  time(A,b)  and  (s',(NULL,t),s)  is  a  step  of  time(A,b),  then 
for  each  C  6  parl(A'): 

(a)  t  <  gc(s’). 

(b)  gc(s)  <  gc(s')  and  hc(s)  >  hc(s'). 

The  meaning  of  these  conditions  is  as  follows.  Condition  1  asserts  that  any  start  state  s 
of  time(A,b)  corresponds  to  a  start  state  of  A'\  moreover,  the  value  for  each  variant  function 
in  state  s  is  defined  in  an  appropriate  way  to  enable  proof  of  the  desired  bound.  For  example, 
consider  the  upper  bound  requirement  for  class  C ,  as  specified  by  the  boundmap  value  b'u{C). 
If  class  C  is  enabled  in  state  v  and  remains  enabled,  then  we  will  wish  to  prove  that  some 
action  in  ( '  will  occur  by  time  at  most  b'u(C).  In  order  to  use  the  variant  function  gc  as  a 
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progress  measure  to  prove  this  upper  bound,  we  require  that  the  initial  value  of  gc  should  be 
no  greater  than  the  bound  b'u(C')  to  be  proved. 

Condition  2  asserts  that  each  non-null  step  of  time(A,b)  has  a  corresponding  execution 
fragment  of  A!  satisfying  certain  properties.  Condition  2(a)  says  that  the  execution  fragment 
exhibits  the  same  external  behavior  as  the  given  step,  while  Condition  2(b)  says  that  the 
values  of  the  variant  function  are  handled  appropriately  to  enable  proof  of  the  desired  bounds. 
Condition  2(b)i  says  that  each  variant  function  he  does  in  fact  describe  a  lower  bound  on  the 
time  by  which  an  action  in  C  may  occur.  If  the  lower  bound  specified  by  the  boundmap  b'  for 
C  is  0,  then  there  is  nothing  to  show  for  this  condition;  if  it  is  nonzero,  then  a  C  step  should 
only  occur  if  the  time  at  which  it  occurs  is  at  least  as  great  as  the  time  hc(s’).  However,  there 
is  a  technicality  that  arises  in  this  condition:  recall  that  the  lower  bound  requirement  for  C  is 
restarted  whenever  C  becomes  enabled  or  a  C  step  occurs.  This  means  that  a  violation  of  the 
lower  bound  requirement  given  by  b't(C)  could  occur  in  the  given  execution  fragment  if  class  C 
becomes  enabled  in  the  fragment  or  a  C  step  occurs,  and  then  a  subsequent  step  of  C  occurs; 
even  though  the  time  for  this  C  step  is  at  least  hc(s'),  that  time  might  not  be  sufficiently 
great  to  satisfy  the  restarted  lower  bound  requirement.  In  order  to  cope  with  this  troublesome 
situation,  we  simply  rule  out  this  pattern  from  the  execution  fragments  we  consider. 

Condition  2(b)ii  simply  says  that  the  variant  functions  are  maintained  properly  when  no 
relevant  steps  occur;  for  example,  consider  the  upper  bound  requirement  for  class  C.  If  no 
actions  in  C  occur  and  C  remains  enabled,  then  the  variant  function  used  as  a  progress  measure 
for  C’s  upper  bound  may  decrease,  but  it  should  not  be  allowed  to  increase.  Finally,  Condition 
2(b)iii  says  that  the  variant  functions  are  restarted  properly  when  a  class  C  becomes  enabled  or 
when  an  action  in  C  occurs.  The  considerations  are  analogous  to  those  for  proper  initialization. 

Condition  3  describes  what  must  happen  whan  a  null  step  of  time(A,b)  occurs.  Condition 
3(a)  says  that  each  variant  function  gc  does  in  fact  describe  an  upper  bound  on  the  time  by 
which  an  action  in  C  must  occur.  That  is,  if  the  system  time(A,b)  is  in  state  s' ,  then  it  is  not 
permissible  for  time  to  pass  beyond  time  gc(&')  without  some  action  in  C  occurring.  Condition 
3(b)  is  similar  to  Condition  2(b)ii,  in  that  it  says  that  the  variant  functions  are  maintained 
properly  when  nothing  of  interest  occurs. 

We  now  show  how  variant  function  collections  can  be  used  to  generate  strong  possibilities 
mappings.  Let  (f,{gc*hc)c&1>arUA'))  be  a  variant  function  collection  from  (A,b)  to  (A\b'). 
Then  we  define  a  mapping  /  from  states  of  tim,e(A,b)  to  sets  of  states  of  time(A',b')  by: 
u  £  f(s )  iff 

1.  u. basic  =  f(s. basic), 

2.  u.time  =  s.time, 

3.  u.last(C)  >  gc(s)  for  each  C  €  pnrt(A'),  and 

4.  u.firsl(C)  <  hc{ s)  for  each  C  €  part(A'). 
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The  next  lemma  shows  that  /  is  a  strong  possibilities  mapping. 


Lemma  4.3  Suppose  that  ( A,b )  and  ( A',b ')  are  timed  automata  with  the  same  external  action 
signature,  and  suppose  that  (f,(gc ,  hc)c^part(A'))  is  a  variant  function  collection  from  (A.  b)  to 
{A',  b').  Let  f  he  the  corresponding  mapping  defined  just  above.  Then  f  is  a  strong  possibilities 
mapping  from  time(A,b)  to  time(A'  ,b'). 

Proof:  We  show  the  three  conditions  of  Definition  4.1.  Condition  3  is  immediate  by  defini¬ 
tion. 

For  Condition  1,  let  s  be  a  start  state  of  time(A,b).  Then  the  first  condition  of  Definition 
4.2  yields  a  start  state  v  of  A'  such  that  v  =  f(s.basic)  and,  for  all  C  €  part(A').  if  v  € 
enabled(A'  ,C)  then  gc(s)  <  b'u(C)  and  hc(s)  >  b'e(C).  Define  u  to  be  the  (urique)  start 
state  of  time(A'  ,b')  having  u. basic  =  v.  By  definition  of  the  start  states  of  timc(  A' ,6').  it 
follows  that  u.time  =  0  =  s.time ,  u.last(C)  =  b'u(C)  if  v  6  enabled(A' ,C)  and  u.last(C)  =  oc 
otherwise,  and  u.first(C)  =  b'e(C)  if  v  €  enabled(A'  ,C)  and  u.first(C)  =  0  otherwise.  Then  we 
have  u. basic  =  v  =  f(s. basic),  u.time  =  s.time ,  and  u.last(C)  >  gc(s)  and  u.first(C)  <  hc(s) 
for  all  C ,  which  implies  that  u  €  f(s),  as  needed. 

Now  we  show  Condition  2  of  Definition  4.1.  Let  II  be  the  common  set  of  external  actions  for 
(A,b)  and  (A',b').  Suppose  that  s'  is  a  reachable  state  of  time(A,b),  u'  6  f(s')  is  a  reachable 
state  of  time(A' ,b'),  and  (s',  (tt,  t),  s)  is  a  step  of  time(A,b).  Since  u'  €  f(s'),  it  follows  that 
u'. basic  —  f(s'. basic),  u'.time  =  s'. time,  and  u'.last(C)  >  gc(s')  and  u'.firsi(C)  <  hc(s')  for 
all  C  €  part(A'). 

We  consider  two  cases: 

1.  7 r  /  NULL. 

Then  Condition  2  of  Definition  4.2  yields  an  execution  fragment  a  of  A'  with  the  prop¬ 
erties  detailed  in  that  definition.  We  modify  a  to  obtain  an  execution  fragment  a'  of 
time(A',b'),  by  using  the  same  sequence  of  events  as  in  a,  associating  time  t  with  each 
event,  and  filling  in  the  values  of  the  time,  last  and  first  variables  as  determined  by  the 
definition  of  time(A' ,b'). 

In  order  to  show  that  the  resulting  a'  is  an  execution  fragment  of  time(A' ,b'),  we  must 
argue  that  the  designated  times  of  events  are  within  the  bounds  allowed  by  the  definition 
of  time(A',b').  The  only  interesting  condition  to  show  is  Condition  l(c)i  of  the  definition 
of  time(A'.b’),  for  a  class  C  that  has  b'e(C)  >  0:  we  must  show  that  if  any  action  in  such 
a  class  C  occurs  in  a',  then  u".first(C)  <  t,  where  u"  is  the  state  of  time(A' ,b')  just  prior 
to  that  C  event.  By  Condition  2(b)i  of  Definition  4.2,  there  is  only  one  C  event  in  o, 
and  all  states  in  or  prior  to  the  given  C  event  are  in  enabled(A' ,C)\  by  the  definition  of 
time(A',b'),  this  implies  that  u".first(C)  =  u'.first(C).  Condition  2(b)i  of  Definition  4.2 
also  implies  that  t  >  hc(s');  since  u'.first(C)  <  hc(s'),  this  implies  that  u'.first(C)  <  t, 
so  that  u" .first(C)  <  t,  as  needed. 
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Now  wo  dofiiio  Uic  extended  step  (u',/i,n)  <>l  lint'  (A1 ,//)  that  arises  Irom  a1 ;  that  is,  v 
is  the  last  state  in  a'  and  0  =  schcd(a').  Wo  show  that  this  extended  step  satisfies  (  lie 
conditions  required  in  Definition  4.1.  First,  we  must  show  that  u  G  f(s),  that  is,  that 
u. basic  =  f(s. basic),  u.time  =  s.time,  and  that  u.last(C)  >  9c{s)  and  u.first(C)  <  hc{s) 
for  all  C.  But  u. basic  =  f(s. basic)  by  the  definition  of  a,  and  u.time  =  t  =  s.time, 
showing  the  first  two  of  these  conditions.  To  see  that  u.last(C)  >  gc(s)>  note  that 
u'.last(C)  >  gc(s ')  since  u'  G  f(s')\  Conditions  2(b)ii  and  2(b)iii  of  Definition  4.2  and 
the  definition  of  time(A,b)  then  imply  the  needed  inequality.  A  similar  argument  holds 
for  the  lower  bound  condition. 

Also,  since  a|II  =  7r|fl,  it  follows  that  (3\l\  x  3?  =  (tt , t )|II  x  3i.  Thus,  Condition  2  of 
Definition  4.1  is  satisfied. 

2.  tr  =  NULL. 

Define  state  u  of  time(A',b')  to  be  the  same  as  state  u' ,  except  that  u.time  =  t.  We 
claim  that  (u' ,(NULL,t),u)  is  the  required  extended  step  of  time(A'  ,b'). 

First,  we  argue  that  ( u ' ,  (NULL,  t),  u)  is  a  step  of  time(A' ,  b').  By  definition  of  time(A' ,b'), 
the  only  interesting  condition  to  check  is  that  t  <  u'.last(C)  for  all  C  G  pari(A'). 
So  fix  C  6  part(A').  Condition  3(a)  of  Definition  4.2  implies  that  t  <  gc(s'Y,  since 
u'.last(C)  >  gc($') ,  we  have  t  <  u'.last(C),  as  needed. 

Now  we  check  the  remaining  requirements  for  Condition  2  of  Definition  4.1.  The  cor¬ 
respondence  between  external  action  sequences  is  easy  to  see.  We  argue  that  u  6  f(s). 
Since  u. basic  =  u' . basic,  s. basic  —  s'. basic  and  u'. basic  —  f(s’. basic),  it  follows  that 
u. basic  —  f(s. basic).  Also,  u.time  =  t  =  s.time.  Let  C  €  part(A').  Then  u.last(C)  = 
u'.last(C)  >  gc(s')i  and  gc(s')  >  gc(s)  by  Condition  3(b)  of  Definition  4.2.  There¬ 
fore,  u.last(C)  >  gc(s).  A  similar  argument  shows  that  u.first(C)  <  hc(s).  Therefore, 
Condition  2  of  Definition  4.1  holds,  as  needed. 


Now  we  give  the  main  theorem  about  variant  function  collections,  saying  that  their  existence 
implies  timed  behavior  inclusion. 

Theorem  4.4  Suppose  that  (A,b)  and  (A' ,b')  are  timed  automata  with  the  same  external 
action  signature.  If  there  exists  a  variant  function  collection  from  (A,b)  to  (A',b')t  then  every 
timed  behavior  of  (A,  6)  is  a  timed  behavior  of  (A',b'). 

Proof:  By  Lemma  4.3  and  Theorem  4.2.  ■ 

5  Examples 

In  this  section,  we  present  two  examples  for  which  we  prove  time  upper  and  lower  bounds 
using  our  mapping  techniques,  (in  particular,  using  variant  function  collections). 
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5.1  Resource  Manager 


Our  first  example  is  a  simple  resource-granting  system  adapted  from  an  algorithm  in  [AtL89]. 
The  system  consists  of  two  components,  a  clock  and  a  manager.  The  clock  ticks  at  an 
approximately-predictable  rate,  and  the  manager  counts  ticks  in  order  to  decide  when  to  grant 
a  resource.  We  wish  to  analyze  the  time  until  the  first  grant,  and  the  time  between  each 
successive  pair  of  grants. 

We  describe  the  algorithm  and  its  timing  assumptions  as  a  timed  automaton  ( A,b ).  The 
required  timing  behavior  is  presented  as  a  timed  automaton  ( A',  b');  we  prove  that,  the  algorithm 
satisfies  the  requirements  by  exhibiting  a  variant  function  collection  from  (A,b)  to  (A',b'). 


5.1.1  The  Algorithm 

The  algorithm  consists  of  two  components,  a  clock  and  a  manager.  The  clock  has  only  one 
action,  the  output  TICK ,  which  is  always  enabled,  and  has  no  effect  on  the  clock’s  state.  It 
can  be  described  as  the  particular  one-state  I/O  automaton  with  the  following  steps.5 

TICK 

Precondition: 

true 

Effect: 

none 


The  partition  contains  a  single  class,  which  contains  the  single  output  event  TICK.  For 
convenience,  we  overload  the  notation  and  designate  this  singleton  class  as  TICK  also. 

The  manager  can  be  described  as  another  I/O  automaton,  this  one  having  one  input  action, 
TICK  and  one  output  action,  GRANT.  The  manager  waits  a  particular  number  fc  >  0  of  clock 
ticks  before  issuing  each  GRANT,  counting  from  the  beginning  or  from  the  last  preceding 
GRANT.  The  manager’s  state  has  one  variable:  TIMER,  holding  an  integer,  initially  k. 

The  manager’s  algorithm  is  as  follows: 

TICK 

Effect: 

TIMER  :=  TIMER  -1 


sln  the  notation  we  use  for  automata,  a  separate  description  is  given  for  the  steps  involving  each  action. 
Instead  of  listing  the  steps,  we  provide  a  “precondition”  which  describes  the  set  of  states  in  which  the  action 
is  enabled,  and  an  “effect”  which  describes  the  changes  caused  by  the  action.  Input  actions  do  not  have  a 
precondition,  because  they  are  always  enabled. 
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GRANT 

Precondition: 

TIMER  <  0 

Effect: 

TIMER  :=  k 

Thus,  in  the  situation  we  are  modeling,  when  the  GRANT  action’s  precondition  becomes 
satisfied,  the  action  does  not  occur  instantly  -  the  action  waits  until  the  automaton’s  next  local 
step  occurs.  The  partition  has  a  single  class,  containing  the  single  output  action  GRANT ;  we 
call  this  class  GRANT  as  well.  Fix  A  to  be  the  I/O  automaton  which  is  the  composition  of  the 
clock  and  manager  automata,  with  the  TICK  output  action  hidden  (using  the  I/O  automaton 
hiding  operator  to  convert  it  to  an  internal  action);  thus,  the  only  external  action  of  A  is  the 
output  action  GRANT. 

The  boundmap  b  associates  the  lower  bound  c\  and  upper  bound  C2  with  the  class  TICK , 
where  0  <  c\  <  c2  <  oc;  this  means  that  the  times  between  successive  TICK  events,  and  the 
time  of  the  first  TICK  event,  are  in  the  interval  [ci,C2].  The  boundmap  b  also  associates  the 
lower  bound  0  and  upper  bound  /  with  the  class  GRANT ,  where  0  <  /  <  oo;  which  means  that 
the  times  between  successive  chances  for  the  manager  to  take  a  step,  and  the  time  of  the  first 
such  chance,  are  in  the  interval  [0,/].  We  assume  that  ci  >  l.6  We  wish  to  show  that  all  the 
timed  behaviors  of  {A,b)  satisfy  certain  upper  and  lower  bounds  on  the  time  up  to  the  first 
GRANT  and  the  time  between  consecutive  pairs  of  GRANT  events. 

We  begin  our  analysis  by  stating  some  useful  invariant  properties  of  the  algorithm.  In  order 
to  do  this,  we  need  timing  information  to  be  included  in  the  state,  so  we  consider  the  automaton 
time(A,b),  constructed  as  described  in  Section  3.  Note  that  in  this  case,  the  automaton 
time{A,b)  has  the  following  variables:  basic,  time,  first(TICK),  last(TICK),  first(GRANT), 
and  last(GRANT).  The  next  lemma  states  invariant  properties  of  the  automaton  1ime(A,b). 
Notice  that  the  second  property  involves  the  time  prediction  variables. 

We  again  use  record  notation  to  designate  state  components,  e.g.,  we  use  s.TIMER  to 
denote  the  value  of  the  TIMER  component  of  s.basic. 

Lemma  5.1  The  following  are  true  about  any  reachable  state  s  of  lime(A,b). 

1.  s.TIMER  >  0. 

2.  If  s.T I M E R  =  0  then  s.first{TICI\)  >  s.last{GRANT)  +  c i  — 

Proof:  By  induction  on  the  length  of  an  execution  leading  to  s.  If  the  length  is  0.  then 
s.TIMER  =  k  >  0,  so  the  conditions  are  easily  seen  to  be  true.  So  suppose  that  (s',(7r,<),s) 
is  a  step  of  time(A.b).  where  s'  is  reachable  in  n  steps  and  the  conditions  are  true  for  s'.  We 
consider  cases. 

®This  assumption  is  needed,  for  example,  for  Lemma  5.1.  Other  assumptions  could  be  used,  but  they  would 
lead  to  slightly  different  bounds. 
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1.  7T  =  GRANT. 

Then  the  effect  of  the  GRANT  action  implies  that  s.TIMER  =  k  >  0,  which  implies 
both  conditions. 

2.  7T  =  TICK. 

Suppose  that  s.TIMER  <  0.  Then  s'. TIMER  =  0,  by  the  effect  of  the  step  and 
the  inductive  hypothesis.  The  inductive  hypothesis  also  implies  that  s'.first(lTCK)  > 
s'.last{GRANT)  +  ci  Since  cj  >  l  (by  assumption),  this  implies  that  s'  .first  (TICK)  > 

s'.last(GRANT).  Since  s'  .last(GRANT)  >  s' .time  =  t,  it  follows  that  s'.first(  TICK)  > 
t.  But  then  the  definition  of  time(A,b)  implies  that  TICK  is  not  enabled  in  s',  a  contra¬ 
diction.  Thus,  s.TIMER  >  0,  showing  the  first  condition. 

Now,  s.firstf  TICK)  =  t+ci  and  s.last(GRANT)  <  t+l.  This  implies  that  s.first(TICK)  > 
s.Iast(  GRANT)  +  C|  —l,  showing  the  second  condition. 

3.  7T  =  NULL. 

Then  all  of  the  terms  involved  in  the  two  conditions  are  the  same  in  s'  and  s,  so  the 
conditions  are  preserved. 


5.1.2  The  Requirements  Automaton 

We  show  the  following,  for  any  timed  behavior  (3  of  (A,b): 

1.  There  are  infinitely  many  GRANT  events  in  0. 

2.  If  t  is  the  time  of  the  first  GRANT  event  in  0,  then  k  •  ct  —  /  <  t  <  k  •  a  +  /. 

3.  If  1 1  and  t2  are  the  times  of  any  two  consecutive  GRAN 'T1  events  in  0,  then 

k  ■  Cj  -  /  <  <2  —  tj  <  k  ■  c2  +  /. 


We  let  P  denote  the  set  of  sequences  of  (action,  time)  pairs,  where  the  only  action  is  GRANT, 
satisfying  the  above  three  conditions. 

We  specify  P  in  terms  of  another  timed  automaton,  (A',b').  Define  A'  to  have  a  single 
state  and  a  single  GRANT  output  action  enabled  in  that  stat* ,  and  define  the  boundmap  b'  to 
assign  to  the  unique  class  of  A'  the  lower  and  upper  bounds  k  Cj  -l  and  k  ■  c2  + 1,  respectively. 

Note  that  the  timed  behaviors  of  (A',b')  are  exactly  the  sequences  in  P. 
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5.1.3  he  Proof 


In  this  subsection,  we  give  a  variant  function  collection  from  (A, 6)  to  (A',b'),  thereby  show¬ 
ing  that  all  timed  behaviors  of  (A,  6)  are  also  timed  behaviors  of  ( A',b ').  This  fact  yields 
Theorem  5.3  vhich  says  that  all  timed  behaviors  of  (.4,6)  are  in  P. 

The  mapping  is  defined  by  means  of  a  variant  function  collection.  ( /,  Qgrant ■>  hcRANT), 
where  f(s. basic)  is  the  unique  state  of  A',  for  all  s,  and 


Hcrant(s) 

and 


haRA.WT(s) 


s.last( TICK)  +  ( s.TIMER  -  l)c2  +  l  if  s.TIMER  >  0, 


s.lnstf  GRANT) 

otherwise, 

s. first ( TICK)  +  (s.TIMER  -  1)^ 
s.time 

if  s.TIMER  >  0, 
otherwise. 

The  variant  functions  give  explicit  upper  and  lower  bounds  for  the  time  of  the  next 
GRANT  event,  in  terms  of  the  values  of  the  variables  in  the  state  of  time(A,b).  For  in¬ 
stance,  if  s.TIMER  >  0,  a  TICK  event  must  happen  within  time  s.last(TICK),  and  then 
after  s.TIMER  -  1  additional  ticks,  each  happening  after  at  most  c2  time,  TIMER  will 
become  0,  thus  enabling  the  GRANT ,  which  will  happen  within  time  at  most  /. 

Since  there  is  only  one  class  in  the  partition  of  A',  we  drop  the  subscript  GRANT  on  the 
variant  functions  for  the  rest  of  this  example,  writing  simply  g  and  h  in  place  of  Qgrant  and 
hGRANT- 


Lemma  5.2  The  triple  (f.g.h)  is  a  variant  function  collection  from  (A, 6)  to  ( A' .  b'). 

Proof:  Let  s  be  the  unique  start  state  of  titne(A,b).  Then  s.T I M ER  —  k  >  0,  s.last(  TICK)  = 
c2  and  s.first(TICK)  =  ci,  so  that 

g(. s)  =  s.lasl(TlCK)  +  (s.TI M ER  —  l)c2  +  /  k  ■  c2  +  / 

and 

h(s)  —  s.  first  (TICK )  -f  (s.T  I M  E  R  —  1  )ci  =  k  •  C\  >  k  ■  c\  —  I. 

Let  v  =  f (s. basic).  Then  v  is  the  unique  start  state  of  A'.  Also, 

b'u(G RANT)  =  A;  ■  r2  +  /  =  g(s) 

and 

b'f(GRANT)  =  k  ci  -l  <  h(s). 

This  shows  Condition  1  of  Definition  1.2. 

Now  we  show  Condition  2.  Suppose  that  s’  is  a  reachable  state  of  timc(A,b)  and  (s',  (x,  t),s) 
is  a  step  of  time(  A.b).  where  7r  is  nonnull.  Let  i?  denote  the  unique  state  of  A'.  We  consider 
cases. 


22 


1 .  tt  =  GRANT. 

Then  s' .TIMER  <  0  and  s.TIMER  =  k  >  0,  by  the  precondition  and  effect  of  GRANT 
in  A;  thus,  s'.TIMER  =  0  by  Lemma  5.1.  Lemma  5.1  also  implies  that  s' .first(TICK)  > 
s'  .last(GRANT)  +  c\  —  l. 

Let  a  be  the  execution  fragment  (v,  GRANT,  v)  of  A'.  Then  Condition  2(a)  of  Defini¬ 
tion  4.2  is  immediate.  For  Condition  2(b)i,  the  enabling  and  uniqueness  conditions  are 
immediate;  moreover, 


t  =  s'. time  by  definition  of  time{A,  b), 
=  h(s')  since  s'.TIMER  =  0, 


as  needed. 

Condition  2(b)ii  is  vacuously  true,  since  a  GRANT  event  occurs  in  a.  For  Condition 
2(b)iii,  we  must  show  that  g(s)  <  t  +  b'u(GRANT)  and  h(s)  >  t  +  b't{GRANT).  For  the 
upper  bound,  we  have  that  s.last(TICK)  <  t  -f  c 2,  by  definition  of  time(A,b).  Therefore, 

g(s)  =  s.last(TICK)  +  (k  -  l)c2  +  l  since  s.TIMER  =  k  >  0, 

<  t  +  k  •  C2  +  / , 

=  t  +  b'u(GRANT), 


as  needed. 

For  the  lower  bound,  we  have  that  s.first(TICK)  =  s' .first(TICK)  and  s' .last(GRANT)  > 
t ,  by  definition  of  time(A,b).  Therefore, 

h{s)  =  s.first{TICK)  +  {k  -  l)ci,  since  s.TIMER  >  0, 

=  s'  .first(TICK)  +  (fc  —  l)ci, 

>  s'.last(GRANT)  +  k  ■  ci  -  l  by  Lemma  5.1, 

>  t  +  k  •  ci  —  /, 

=  t +  &i(GKANT), 


as  needed. 

2.  7r  =  TICK. 

Then  s.TIMER  =  s'.TIMER-  1.  Let  a  be  the  trivial  execution  fragment  v  of  A'.  Once 
again,  Conditions  2(a)  of  Definition  4.2  is  immediate.  Conditions  2(b)i  and  2(b)iii  are 
vacuously  true.  For  Condition  2(b)ii,  we  must  show  that  g(s)  <  g(s')  and  li(s)  >  h(s'). 
There  are  two  cases. 

(a)  s.TIMER  >  0. 
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For  the  upper  bound,  we  have  that  s.last(TICK)  =  t  +  C2  and  t  <  s' .last(TICK), 
by  definition  of  time(A,b );  therefore,  s.last(TICK)  <  s'.last(TICK)  +  e2.  Thus, 

g(s)  =  s.last(TICK)  +  ( s.TIMER  -  l)c2  +  l, 

=  s.last( TICK)  +  (s'. TIMER  -  2 )c2  +  /  since  s.TIMER  =  s'. TIMER  -  ] , 
<  s'.last( TICK)  +  (s'. TIMER  -  l)c2  +  l, 

=  g(  A 

as  needed. 

For  the  lower  bound,  we  have  that  s.first(TICK)  =  t  +  cx  and  s' .first(TICK)  <  <  by 
the  definition  of  time(A,b);  therefore,  s.first(TICK)  >  s' .first(TlCK)  +  cj.  Thus, 

h(s)  =  s.  first  (TICK )  +  (s.TIMER  -  l)cu 

>  s'. first ( TICK)  +  Cl  +  ( s.TIMER  -  l)cx, 

=  s’.first(  TICK)  +  (s'. TIMER  -  l)ci  since  s.TIMER  =  s'. TIMER  -  1. 

=  h(s'), 

as  needed. 

(b)  s.TIMER  =  0. 

Then  s'. TIMER  =  1.  For  the  upper  bound,  we  have  that  s.last(GRANT)  <  t  +  l 
and  t  <  s' .last(TICK),  so  that  s.last(GRANT)  <  s'.last(TICK)  +  /,  by  definition 
of  time(A,b).  Therefore, 


g(s)  =  s.last(GRANT), 

<  s'  .last  (TICK)  +  /, 

= 

as  needed. 

For  the  lower  bound,  we  have  that  s.lime  =  t  and  s’ .first(TICK)  <  t,  so  that 
s.time  >  s’.first(TICK).  Therefore, 

h(s)  =  s.iime , 

>  s' .first(TlCK), 

=  h(s' ), 

as  needed. 

Now  consider  a  step  (s',  (NULL,  t),s)  of  time(  A,  b),  where  s’  is  a  reachable  state  of  limc(A.b). 
Then 


g(s’)  = 


■s'. last (  TICK )  +  (s'. TIMER  -  l)c2  +  l  if  s'. TIMER  >  0, 
s' .last(  GRANT)  otherwise. 


Therefore,  g(s')  >  min(s' .last(TICK),s' .last(GRANT)).  By  the  definition  of  time(A,b ),  it 
must  be  that  t  <  min(s' .last(TICK),  s' Jast(GRANT));  thus,  t  <  g(s'),  which  shows  Condition 
3(a)  of  Definition  4.2.  For  Condition  3(b),  we  must  show  that  g(s)  <  g(s')  and  h(s)  >  h(s'). 
But  since  only  the  value  of  time  is  different  in  s  and  s',  and  s.time  >  s'. time,  these  inequalities 
follow  immediately  from  the  definitions  of  the  variant  functions  g  and  h.  ■ 


Now  we  can  put  the  pieces  together. 

Theorem  5.3  All  timed  behaviors  of  ( A,b )  are  in  P. 

Proof:  Lemma  5.2  yields  a  variant  function  collection  from  (A,b)  to  (4\6').  Thus,  by  The¬ 
orem  4.4,  any  timed  behavior  of  (.4,6)  is  a  timed  behavior  of  (4',  6').  This  implies  that  0  €  P. 


5.1.4  Discussion 

The  bounds  that  we  have  proved  above  are  nearly  tight,  Specifically,  it  is  possible  to  produce 
four  timed  executions  of  (4,6)  that  exhibit  the  following  types  of  behavior: 

1.  The  time  until  the  first  GRANT  is  exactly  k  •  c 

2.  The  time  until  the  first  GRANT  is  exactly  k  ■  c2  +  /. 

3.  The  time  between  the  first  and  second  GRANT  events  is  exactly  k  •  Ci  —  l. 

4.  The  time  between  the  first  and  second  GRANT  events  is  exactly  k  •  c2  +  /. 

The  only  discrepancy  between  these  bounds  and  those  proved  above  is  a  difference  of  /  in  the 
lower  bound  for  the  first  GRANT. 

For  example,  the  first  bound  is  realized  by  the  timed  execution  of  (4,6)  that  has  the 
following  timed  schedule: 

( TICK,  cj ),  ( TICK,  2  •  C! ),...,  ( TICK,  k  ■  c, ), ( GRANT,  fc-cj). 

The  second  bound  is  realized  by  the  timed  execution  that  has  the  following  timed  schedule: 
( TICK,  c2),  ( TICK,  2  •  c2), . . . , ( TICK,  k  ■  c2),  (GRANT,  k  •  c2  +  /). 
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The  third  bound  is  realized  by: 


( TICK,  ci ),( TICK,  2  •  c, ), . . .  ,(TICK,  k  ■  cx ), (GRANT,  k  ■  ct  +  l) 

( TICK,  (k  +  1 )  •  cx),  ( TICK,  (k  +  2)  •  c, ( TICK,  2k  ■  a), ( GflANT,  2*  •  n ). 
Finally,  the  fourth  bound  is  realized  by: 


( TICK,  c2),  ( TICK,  2  •  c2), . . . ,  ( TICK,  k  •  c2), ( GRANT,  k  •  c2) 

(TICK,  (k  +  1)  •  c2),(TICK,  (k  +  2)  •  c2), . . .  ,(TICK, 2k  ■  c2), (GRANT,  2 k-c2  +  l). 

Note  that  it  is  possible  to  modify  our  proof  to  give  the  tight  lower  bound  of  k  •  ci  for  the 
first  GRANT;  the  idea  is  to  split  the  requirements  to  be  proved  so  they  are  expressed  by  two 
separate  partition  classes  in  (A',b'),  one  for  the  first  GRANT  and  one  for  the  time  between 
pairs  of  GRANT  events.  The  two  classes  will  have  different  lower  bounds.  There  is  a  slight 
technical  difficulty  in  that  the  algorithm  (A,  6)  would  have  to  be  modified  slightly  in  order  to 
distinguish  the  first  GRANT  event  from  successive  GRANT  events,  but  there  is  no  problem 
in  principle. 

Note  that  our  resource  manager  is  much  simpler  than  the  usual  examples  of  resource- 
granting  systems;  in  particular,  there  is  no  request  input  that  triggers  the  GRANT  output. 
We  do  not  think  that  adding  such  structure  would  increase  the  conceptual  difficulty  of  the 
example  or  expose  any  interesting  property  of  the  methodology  we  suggest  here;  however,  it 
would  make  the  analysis  somewhat  longer. 

5.2  Two-Process  Race  System 

We  consider  a  system  composed  of  two  processes,  X  and  Y.  Process  X  increments  a  counter 
until  process  Y  modifies  a  flag,  and  then  decrements  the  counter.  When  the  counter  reaches 
0,  process  X  announces  that  it  :s  done.  We  are  interested  in  upper  and  lower  bounds  on  the 
time  until  a  “done”  announcement  occurs. 

Again,  we  describe  the  algorithm  and  its  timing  assumptions  as  a  timed  automaton  (A,b), 
and  the  required  timing  behavior  as  another  timed  automaton  (A',b'),  and  produce  a  variant 
function  collection  from  (A,b)  to  (A',b'). 

5.2.1  The  Algorithm 

The  system  is  described  as  a  single  timed  automaton  (A,b)  containing  two  classes  representing 
the  two  processes  X  and  Y.  Automaton  A  has  state  variables  x,  y  and  done,  where  x  and  y  are 
integers,  initially  0,  and  done  is  a  Boolean,  initially  false.  There  are  one  output  action,  DONE, 
three  internal  actions,  SET,  INC  and  DEC,  and  no  input  actions.  The  partition  classes  are 
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X  =  {INC,  DEC,  DONE}  and  Y  =  {SET}.  Intuitively,  there  are  two  sequential  processes 
(using  shared  memory),  one  of  which  performs  the  SET  action  and  one  of  which  performs  the 
other  three.  The  transitions  are  as  follows. 

SET 

Precondition: 
y  =  0 

Effect: 

y  :=  1 

INC 

Precondition: 
y-  0 

Effect: 

x  :=  x  +  1 

DEC 

Precondition: 

y  =  1 

x  >  0 

Effect: 

x  x  —  1 

DONE 
Precondition: 
y  =  1 
x  =  0 

done  =  false 

Effect: 

done  :=  true 


The  boundmap  6  for  A  assigns  the  lower  bound  /i  and  the  upper  bound  h,  where  0  <  /j  < 
I2  <  00,  with  each  of  the  two  partition  classes,  indicating  that  the  time  between  successive 
steps  of  each  of  the  two  processes  is  in  the  interval  [/i ,  #2]*  We  are  interested  in  determining 
the  maximum  and  minimum  times  taken  by  the  timed  automaton  ( A,b )  from  the  beginning 
until  the  DONE  action  occurs. 

5.2.2  The  Requirements  Automaton 

We  wish  to  show  that  any  timed  behavior  /?  of  ( A,b )  contains  exactly  one  DONE  event, 
occurring  at  a  time  in  the  interval  [/j,(2  +  Let  P  denote  the  set  of  sequences  of 

(action, time)  pairs,  where  the  only  action  is  DONE,  satisfying  this  condition. 
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We  specify  P  in  terms  of  a  timed  automaton  (A',b'),  defined  as  follows.  A'  has  two 
states,  active  and  inactive ,  with  start  state  inactive,  and  a  single  action,  DONE,  which  is  an 
output  action  enabled  in  state  active  and  whose  effect  is  to  change  the  state  to  inactive.  The 
boundmap  b'  assigns  to  the  single  class  DONE  the  lower  and  upper  bounds  / j  and  (2  +  [j^-J  )l 2, 
respectively.  Note  that  the  timed  behaviors  of  (A',  6')  are  exactly  the  sequences  in  P. 

5.2.3  The  Proof 

In  this  subsection,  we  define  a  variant  function  collection  from  ( A,b )  to  ( A',b '),  which  implies 
that  every  timed  behavior  of  (A,  b)  satisfies  P.  The  variant  function  collection,  (/,  gDONE,  h DONE ), 
has  f(s. basic)  =  active  if  done  =  false  and  inactive  if  done  =  true,  and 

f  s.last(Y)  +  ( s.x  +  2  +  if  s,y  =  0  and  s.first(X)  <  s.last(Y) 

(  s.last(X)  +  s.x  ■  I2  otherwise, 

(  s.first(X)  +  ( s.x  +  2)l\  if  s.y  =  0  and  s.first(Y)  >  s.last(X) 

1  s.first(X)  +  s.x  ■  l\  otherwise. 

We  give  some  intuition  for  the  first,  more  complicated  case  of  each  inequality.  For  the  upper 
bound,  this  is  the  case  where  another  step  of  X  can  occur  before  the  next  (and  only)  step  of 
y  occurs.  In  this  case,  measures  how  many  additional  steps  of  X  (after  the 

indicated  step  of  X)  can  fit  before  V  must  take  a  step,  and  ( s.x  +  2  +  [  >  j  )/2 

is  the  longest  time  it  can  take  from  the  time  SET  occurs  (which  is  at  most  s.last(Y))  until 
DONE  occurs.  In  more  detail,  at  the  time  the  SET  occurs,  the  value  of  x  is  at  most  s.x  +  1  + 

[ V  1~ a -ftra * W  j ,  so  it  takes  this  number  of  DEC  events  (each  consuming  at  most  I2  time) 
until  x  gets  set  to  0,  and  at  most  another  I2  until  DONE  occurs. 

For  the  lower  bound,  the  first  case  is  the  case  where  another  step  of  A'  must  occur  before 
the  next  (and  first)  step  of  Y  occurs.  In  this  case,  1  will  be  increased  at  time  at  least  s.first(X) 
and  it  will  take  at  least  x  +  1  DEC  operations  (each  consuming  at  least  Zi  time)  until  x  gets 
set  to  0  and  another  /1  time  until  DONE  occurs.  The  second  cases  of  both  inequalities  are 
similar,  but  simpler. 

Again,  since  there  is  only  one  class  in  the  partition  of  A',  we  will  drop  the  subscript  DONE 
on  the  variant  functions  for  the  rest  of  this  example,  writing  simply  g  and  h  in  place  of  gpoNE 
and  hooNE- 

Lemma  5.4  The  triple  ( f,g,h )  is  a  variant  function  collection  from  ( A,b )  to  ( A',b '). 

Proof:  Let  s  be  the  unique  start  state  of  timc(A,b).  Then  s.first(X)  =  s.first(Y)  —  l\. 
s.last(X)  =  s.last(Y)  =  I2,  s.x  =  s.y  =  0,  and  s.done  =  false.  Then 

/  ■>  .  ,  r,  ,  s.  last  (Y)  —  s.  first  ( X),., 

g(s)  =  s.last(Y)  +  (s.x  +  2  +  ( - 7 - -\)h 

M 


ffDONEi3 ) 
and 

hDONE(s ) 
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and 


=  /2  +  (2+  L^-Jij)/2 

‘l 

=  (2+l£j)(2, 

‘l 


h(s)  =  s.first(X)  +  s.x  ■  li  —  l\. 

Let  v  =  f(s. basic).  Then  v  =  active ,  by  definition  of  /,  which  is  the  start  state  of  A'. 
Also,  b'u(DONE )  =  (2+  =  s(s)  and  b^(DONE)  =  li  =  h(s).  This  shows  Condition  1  of 

Definition  4.2. 

Now  we  show  Condition  2.  Suppose  that  s'  is  a  reachable  state  of  time(A,  b)  and  (s',  (7r,  t),  s) 
is  a  step  of  time(A,b),  where  t  is  nonnull.  Also  suppose  that  v'  =  /(s'. basic)  and  v  = 
f(s.basic).  We  consider  cases. 

1.  it  =  DONE. 

Then  s'.y  =  1,  s'.x  =  0,  s'. done  =  false ,  and  s.done  =  true ,  by  the  precondition 
and  effect  of  DONE  in  A,  and  s’.first(X)  <  t ,  by  the  definition  of  Also, 

v'  —  /(s’ .basic)  =  active  and  v  =  f(s.basic)  =  inactive. 

Let  a  be  the  execution  fragment  ( v',DONE,v )  of  A'.  Condition  2(a)  is  immediate.  For 
Condition  2(b)i,  the  uniqueness  and  enabling  conditions  are  immediate;  moreover, 

t  >  s'.first(X), 

=  h(s’)  since  s'.y  =  1  and  s'.x  =  0, 


as  needed. 

Condition  2(b)ii  is  vacuously  true,  since  a  DONE  event  occurs  in  a.  Condition  2(b)iii  is 
also  vacuously  true,  since  v  £  enabled(A',DONE). 

2.  7T  =  SET. 

Then  s'.y  =  0,  s.y  =  1,  s'.x  =  s.x,  by  the  precondition  and  effect  of  SET  in  A.  Moreover, 
s'. done  =  s.done  =  false ,  which  implies  that  v'  =  v  =  active.  Also,  s.last(X)  - 
s'.last(X),  s.first(X)  =  s'.first(X),  s.last(X)  <  t  +  {2,  t  <  $'.last(Y),  t  <  s'.last(X)  and 
s'.first(Y)  <  t,  by  definition  of  time(A,b). 

Let  a  be  the  trivial  execution  fragment  v '  of  A! .  Condition  2(a)  is  immediate,  and  2(b)i 
and  2(b)iii  are  vacuously  true.  For  Condition  2(b)ii,  we  must  show  that  g($)  <  g(s')  and 
h(s)  >  h(s').  For  the  upper  bound,  we  consider  two  cases. 

(a)  s'.first(X)  >  s'.last(Y). 
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Then 


9(s ) 

=  s.last(X)  4  (s.x)h  since  s.y  =  1, 
=  s'.last(X)  4  (s'.x)/2, 

=  g(s' ), 

which  suffices. 

(b)  s'.first(X)  <  s’.last(Y). 

Then 

g(s)  = 
< 
< 
< 

< 


as  needed. 

For  the  lower  bound,  we  see  that  s'.first(Y)  <  s' .last(X),  since  t  <  s  .last(X)  and 
s'.ftrst(Y)  <  t.  Therefore, 

h(s)  =  s.first(X)  +  (s.x)li, 

=  s'.first(X)  +  (s'.x)li, 

=  h(s'), 


s.last(X)  +  (s.x)l  2, 
t  4-  h  +  (s.x)/2, 
t  +  (s'.x  +  2  )/2, 
s'.last(Y)  +  (s'.x  4-  2)/j, 

s'./as*(T)  +  (s'.x  +  2  +  [ 

9(s'), 


s'.last(Y )  -  s'. first (X) 

h 


\)h, 


which  suffices. 

3.  7T  =  INC. 

Then  s'. y  =  s.y  =  0  and  s.x  =  s'.x  4  1,  by  the  definition  of  INC.  Also,  s'.first(X)  < 
t  <  s'.last(Y),  s.last(Y)  =  s'.last{Y),  s.last(X)  =  t  +  l2,  s.first(X)  =  t  +  lu  ai>d 
s.first(Y)  <  t  +  Zi,  by  definition  of  timc(A,b).  Thus,  s(s')  =  s'.last(Y)  +  (s'.x  +  2  + 

)/2> 

Let  a  be  the  trivial  execution  fragment  v'  of  A'.  As  before,  the  only  nontrivial  condition 
to  show  is  Condition  2(b)ii,  that  g(s)  <  g(s')  and  h(s)  >  h(s').  For  the  upper  bound,  we 
consider  two  cases. 
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(a)  s.first(X)  <  s. last(Y). 

Then  g(s)  =  s.last(Y)  +  (s.x  +  2  +  Now, 


L 


s.last(Y)  -  s.  first  (X) 


J  +  l  =  l 


s.last(Y)  -  (t  +  li) 

h 


J  4-  1, 


So 


g(s )  =  a./asi(K)  +  ( s.x  -f  2  +  [ 
=  s'.last(Y)  +  (s'.x  +  3  +  [ 


since  s.first(X)  =  t  +  1 1, 

,  s.last(Y)  -  t , 

~  L  £  J- 

,  s'.last(Y)  -  s'.first(X) . 

~ 

since  t  >  s'.first(X)  and  s.last(Y)  =  s'.last(Y). 
s.last(Y)  -  sJirst(X) 


ii 


’})h, 


s.last(Y )  —  s.first(X) 


J)/2, 


f  .  /  ~  ,s'.last(Y)  -  s'.first(X) . 

<  s'.last(Y )  +  (s'.x  +  2  +  [ - - - - —  J  )/2, 

= 


as  needed. 

(b)  s.first(X)  >  s.last(Y). 

Then  g(s)  =  s.last(X)  -f  (s.x)/2.  Then 

g(s)  =  s.last(X)  4-  (s.x)l2, 

=  s.last(X)  +  (s'.x  -f  1)/?, 

=  t  +  h  +  (s'.x  +  1)12, 

<  s'.last(Y)  +  l2  +  (s'.x  +  \)l2 
—  s'. last  (Y )  +  (s'.x  +  2)h 


<  s'.last(Y)  +  (s'.x  +  2  +  [ 


s'.last(Y)  -  s'.first(X) 


J  )h 


since  s'.first(X)  <  s'.last(Y ), 

=  9(s'), 


as  needed. 


For  the  lower  bound,  notice  that 

s.first(Y)  <t  +  l\  <t  +  l2  =  s.last(X)  . 
Thus,  we  have  h(s)  =  s.first(X)  +  (s.x)/i.  There  are  two  cases. 
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(a)  s'.first(Y)  <  s'.last(X). 

Then 

h(s)  =  s.first(X)  +  (s.x)li, 

>  s.first(X)  +  (s'.x)li, 

>  t  +  (s'.x)li, 

>  s' .first(X)  +  (s' .x)l\, 

=  h(s'), 

as  needed. 

(b)  s'. first (Y)  >  s'.last(X). 

Then 

h(s)  =  s.first(X)  +  (s.x)l\, 

=  s.first(X)  +  (s'.x  -f  l)/j, 

=  s.first(X)  —  h  +  (s'.x 
=  t  +  (s'.x  +  2)/i, 

>  s'.first(X)  +  (s'.x  +  2)/i, 

=  h(s'), 

as  needed. 

4.  ir  =  DEC. 

Once  again,  let  a  be  the  trivial  execution  fragment  v '  of  A'.  As  before,  the  only  nontrivial 
condition  to  show  is  Condition  2(b)ii,  that  g(s)  <  g(s' )  and  h(s)  >  h(s').  By  the 
definition  of  DEC,  s'.y  =  s.y  =  1  and  s.x  =  s'.x  —  l.  Also,  s.last(X)  =  Z  +  /2*  s.first(X)  = 
t  +  l\,t  <  s'.last(X),  and  t  >  s'.first(X),  by  definition  of  time(A,b). 

For  the  upper  bound,  we  have  that 

g(s)  =  s.last(X)  +  (s.x)l2, 

=  t  +  l2  +  ( s.x)l2 , 

<  s' .last(X)  +  l2  +  (s.x)l2, 

—  s'.last(X)  +  (s'.x)l2, 

=  9(s'), 

as  needed. 

For  the  lower  bound,  we  have  that 

h(s)  =  s.first(X)  +  (s.x)li, 

=  t  +  li  +  (s.x)lu 


32 


>  s' .Jirst(X)  +  l\  +  (s.x)l\, 
=  s'.first(X)  +  (s'.x)li, 

=  h(s'), 


as  needed. 


Now  consider  a  step  ( s',(NULL,t),s )  of  time(A,b),  where  s'  is  a  reachable  state  of  time(A,  b). 
Then 


9(s') 


s',  last  (Y)  +  (s'.x  +  2  +  \)l2  if  s’.y  =  0  and  s'.first(X)  <  s'.last(Y). 

s'.last(X)  +  s'.x  ■  h  otherwise. 


Thus,  g(s')  >  m\n(s'.last(Y),s'.last(X)).  By  the  definition  of  time(A,b ),  it  must  be  that 
t  <  min  (s' .last(Y),  s' .last(X));  thus,  t  <  g(s'),  which  shows  Condition  3(a)  of  Definition  4.2. 
For  Condition  3(b),  note  that  there  are  no  changes  in  any  of  the  terms  involved  in  the  definitions 
of  g  and  h,  so  g(s)  =  g(s')  and  h(s)  =  h(s').  ■ 


Theorem  5.5  All  timed  behaviors  of  (A,b)  are  in  P. 


Proof: 


As  for  Theorem  5.3,  using  Lemma  5.4. 


5.2.4  Discussion 

For  this  example,  the  bounds  we  have  proved  are  attainable.  That  is,  there  is  a  timed  execution 
of  ( A,b )  for  which  the  time  until  a  DONE  event  occurs  is  exactly  l\,  and  another  timed 
execution  for  which  the  time  until  a  DONE  event  occurs  is  exactly  (2  +  L^J)^- 

For  example,  the  bound  l\  is  realized  by  the  timed  execution  that  has  the  timed  schedule 
(SET, li), (DON E,li).  The  bound  (2  +  [jfj)f2  is  realized  by  the  timed  execution  having  the 
timed  schedule 

( INC,  al2), (INC, 2 al2), •  •  • ,  (INC,  [y-\ah), (SET,  h), 

*1 

(DEC,  2h),(DEC,  3  h),  •  •  • ,  (DEC,  (1  +  [rJ  )h),(DONE,  (2  +  |_^J  )/2), 

h  ‘1 

where  a  =  1/Lj^J-  This  timed  execution  involves  the  SET  happening  at  the  latest  possible 
time,  h •  The  maximum  possible  number  of  INC  events  occur  prior  to  the  SET,  and  the  last 
of  these  occurs  at  the  same  time  as  the  SET.  The  DEC  events  occur  as  late  as  possible. 


33 


6  Conclusions  and  Further  Work 


In  this  paper,  we  have  described  a  way  to  carry  out  assertional  proofs  for  timing  properties  of 
algorithms  that  have  timing  assumptions.  The  method  involves  expressing  an  algorithm  and 
its  timing  assumptions  as  a  timed  automaton  ( A,b ),  and  expressing  the  timing  requirements 
in  terms  of  a  second  timed  automaton  (A',b').  Then  we  convert  the  timed  automata  (A,  6)  and 
(A1,  V)  into  ordinary  (not  timed)  I/O  automata,  time(A,b )  and  time(A' ,b')  respectively,  using 
a  general  construction  that  builds  predictive  timing  information  into  the  automaton  state. 
Then  the  goal  of  proving  timing  requirements  can  be  met  by  demonstrating  the  existence 
of  a  certain  type  of  mapping  called  a  “strong  possibilities  mapping”  from  the  “assumptions 
automaton”  time(A,b)  to  the  “requirements  automaton”  time(A' ,b'). 

One  way  of  demonstrating  the  existence  of  such  a  mapping  is  based  on  a  collection  of 
variant  functions,  each  designed  to  measure  progress  toward  the  fulfillment  of  one  of  the  upper 
or  lower  bound  requirements  expressed  by  (A',  6').  These  variant  functions  generalize  those 
used  elsewhere  for  program  verification  in  that  they  are  real-valued  rather  than  discrete,  and 
that  they  are  used  for  lower  as  well  as  upper  bounds. 

We  have  applied  this  method  in  this  paper  to  analyze  the  timing  properties  of  two  systems 
-  a  simple  resource-granting  system  and  a  race  system  involving  two  processes.  The  analyses 
of  these  two  examples  are  very  simple.  They  consist  of  case  analyses  based  directly  on  the 
conditions  specified  in  the  definition  of  a  variant  function  collection.  The  style  and  level  of 
difficulty  of  these  proofs  is  exactly  the  same  as  that  of  typical  inductive  proofs  of  invariant  as¬ 
sertions.  Like  other  proofs  of  that  type,  these  remove  the  need  for  complex  dynamic  arguments 
about  the  behavior  of  the  algorithm,  replacing  them  with  simple  checks  involving  individual 
algorithm  steps.  Because  of  the  need  to  check  many  cases,  the  proofs  are  not  extremely  short 
(the  proof  for  each  of  our  simple  examples  is  about  three  pages  long);  however,  this  style 
should  scale  very  well  because  of  the  local  nature  of  the  checks  performed.  Also,  as  for  other 
assertional  proofs,  it  seems  likely  that  proofs  using  this  method  can  someday  be  checked  using 
machine-verification  technology. 

The  two  examples  in  this  paper  are  not  the  only  examples  to  which  this  method  has  been 
applied.  In  a  project  being  carried  out  for  Digital  Equipment  Corporation,  several  timing 
properties  (including  self-stabilization  properties)  have  been  proved  for  a  new  link  state  packet 
distribution  protocol  [LHPV91].  Some  of  the  timing  properties  proved  were  unexpected,  and 
were  discovered  in  the  course  of  applying  the  methods  of  this  paper.  Although  it  is  possible  to 
provide  some  informal  intuitions  for  these  properties  using  ad  hoc  arguments,  we  cannot  think 
of  a  better  way  than  the  method  of  this  paper  to  provide  complete  and  convincing  proofs  that 
these  properties  hold.  We  have  found  that  variant  function  collections  provides  a  natural  and 
intuitive  way  of  thinking  about  the  reasons  the  timing  properties  hold,  as  well  as  a  basis  for 
formal  correctness  arguments.  Based  on  the  examples  that  have  been  tried  so  far,  we  believe 
that  the  method  is  quite  practical  for  use  in  verifying  timing  properties  for  real  timing-based 
algorithms. 

In  some  of  the  proofs  we  give  for  the  DEC  protocol,  we  do  not  give  bounds  that  are  as  tight 


as  those  we  have  given  for  the  simple  examples  in  this  paper.  This  is  101  surprising:  in  general, 
for  complex  algorithms,  it  is  often  much  easier  to  prove  bounds  tha*  are  somewhat  rough  than 
to  prove  bounds  that  are  actually  attainable  by  a  particular  execution.  The  method  of  this 
paper  supports  the  proof  of  non-tight  bounds  just  as  easily  as  the  proof  of  tight  bounds. 

A  good  technique  for  proving  timing  properties  of  systems  with  timing  assumption'  should 
be  rigorous,  simple  and  general.  Our  technique  is  certainly  rigorous,  and  we  think  '♦  is  also 
quite  simple.  It  remains  to  consider  its  generality. 

Although  it  seems  to  us  that  timed  automata  are  probably  sufficiently  general  to  describe 
typical  implementations,  they  may  not  be  sufficiently  general  to  describe  all  interesting  re¬ 
quirements  specifications.  For  example,  as  currently  defined,  they  cannot  specify  bounds  for 
reaching  certain  states,  but  only  for  the  occurrence  of  certain  actions.  In  [MMT88],  the  authors 
express  a  similar  doubt,  and  address  it  by  generalizing  the  notion  of  a  boundmap  to  include 
certain  more  general  timing  conditions.  While  we  could  make  a  similar  ex  ensir.n  l.ere  (indeed, 
we  do  make  such  an  extension  in  an  earlier  version  of  this  paper  [LyA90]),  he  extra  notation 
required  for  doing  so  seems  iO  obscure  the  essentially  simple  ideas  of  our  method.  Moreover, 
there  is  no  guarantee  that  the  resulting  extension  will  yet  be  sufficiently  expressive.  (Although 
we  state  a  completeness  result  in  [LyA90]  for  the  generalized  specifications,  this  completeness 
result  is  relative  to  the  restriction,  not  used  in  this  paper,  that  the  underlying  automata  A  and 
A'  are  identical.)  We  have  chosen  to  present  our  method  here  using  a  model  that  is  possibly 
somewhat  too  restrictive,  and  to  leave  the  appropriate  generalization  for  future  work. 

It  remains  to  relate  our  method  to  other  methods  for  proving  timing  properties.  One 
method  we  have  considered  is  the  one  used  for  several  algorithms  in  [LG89],  based  on  bounding 
the  time  for  the  occurrence  of  intermediate  milestones.  Such  a  proof  can  be  expressed  by  a 
series  of  oroofs  in  our  method,  one  for  each  intermediate  milestone.  A  good  example  to 
consider  is  the  tournament  algorithm  for  mutual  exclusion  in  [PF77].  The  proof  sketched  in 
[LG89]  for  this  algorithm  uses  recurrence  inequalities  to  bound  the  time  until  a  given  process 
wins  at  various  levels  of  the  tournament  tree.  It  should  be  possible  to  recast  this  proof  as  a 
sequence  of  proofs,  one  for  each  level  of  the  tree,  where  the  proof  for  each  level  of  the  tree  is  a 
generic  argument  based  on  a  single  use  of  the  main  recurrence  inequality.  Although  we  have 
not  worked  out  this  example  in  detail,  we  have  done  a  complete  proof  [LyA90]  of  a  simpler 
example  motivated  by  this  one  (based  on  a  line  rather  than  a  tree).  In  principle,  it  seems  that 
the  ideas  should  extend  to  the  more  complex  example,  but  this  remains  to  be  done. 

Some  other  techniques  to  relate  to  this  one  include  those  based  on  bounded-time  temporal 
logic  (e.g.,  [BII81]).  Also,  it  remains  to  see  how  proofs  using  our  techniques  can  be  applied 
in  a  modular  way  for  the  verification  of  timing  properties  of  large  and  complex  timing-based 
systems. 

Of  course,  it  remains  to  apply  this  technique  to  the  analysis  of  many  other  timing-dependent 
algorithms.  Good  sources  for  algorithms  to  analyze  are  the  areas  of  real-time  computing  and 
communication. 
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